Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IGAnbXyZVx.exe

Overview

General Information

Sample name:IGAnbXyZVx.exe
renamed because original name is a hash value
Original sample name:f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87.exe
Analysis ID:1524039
MD5:6073814ce9d8799eed467e85f78d1599
SHA1:8984255be7f0b0099bfdfa280a03a74143933abb
SHA256:f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87
Tags:exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score:87
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • IGAnbXyZVx.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\IGAnbXyZVx.exe" MD5: 6073814CE9D8799EED467E85F78D1599)
    • BitLockerToGo.exe (PID: 5612 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tearrybyiwo.shop", "captainynfanw.shop", "strappystyio.shop", "fossillargeiw.shop", "tendencerangej.shop", "nurserrsjwuwq.shop", "coursedonnyre.shop", "surveriysiop.shop", "appleboltelwk.shop"], "Build id": "c2CoW0--adv1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
IGAnbXyZVx.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2461513968.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
      00000000.00000000.2025429322.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
        Process Memory Space: IGAnbXyZVx.exe PID: 6432JoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.IGAnbXyZVx.exe.7ff7fd7b0000.0.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security
              0.2.IGAnbXyZVx.exe.7ff7fd7b0000.4.unpackJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:20.992417+020020546531A Network Trojan was detected192.168.2.564662188.114.96.3443TCP
                2024-10-02T14:58:23.461744+020020546531A Network Trojan was detected192.168.2.564664104.21.16.12443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:20.992417+020020498361A Network Trojan was detected192.168.2.564662188.114.96.3443TCP
                2024-10-02T14:58:23.461744+020020498361A Network Trojan was detected192.168.2.564664104.21.16.12443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.038716+020020560361Domain Observed Used for C2 Detected192.168.2.5539731.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.010471+020020560401Domain Observed Used for C2 Detected192.168.2.5628561.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.162532+020020560421Domain Observed Used for C2 Detected192.168.2.5600721.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.066841+020020560461Domain Observed Used for C2 Detected192.168.2.5622581.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.173967+020020560521Domain Observed Used for C2 Detected192.168.2.5637761.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.000355+020020560541Domain Observed Used for C2 Detected192.168.2.5628691.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.023896+020020560561Domain Observed Used for C2 Detected192.168.2.5502041.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T14:58:21.052661+020020560581Domain Observed Used for C2 Detected192.168.2.5628041.1.1.153UDP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
                Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
                Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
                Found malware configuration
                Source: 0.3.IGAnbXyZVx.exe.28a7e4d0000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["tearrybyiwo.shop", "captainynfanw.shop", "strappystyio.shop", "fossillargeiw.shop", "tendencerangej.shop", "nurserrsjwuwq.shop", "coursedonnyre.shop", "surveriysiop.shop", "appleboltelwk.shop"], "Build id": "c2CoW0--adv1"}
                Multi AV Scanner detection for submitted file
                Source: IGAnbXyZVx.exeReversingLabs: Detection: 21%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.3% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: strappystyio.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: coursedonnyre.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: fossillargeiw.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: tendencerangej.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: appleboltelwk.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: tearrybyiwo.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: captainynfanw.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: surveriysiop.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: nurserrsjwuwq.shop
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString decryptor: c2CoW0--adv1
                Source: IGAnbXyZVx.exeStatic PE information: certificate valid
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:64662 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:64663 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.5:64664 version: TLS 1.2
                Source: IGAnbXyZVx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: BitLockerToGo.pdb source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: BitLockerToGo.pdbGCTL source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030AD0F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+0Ch]3_2_030AFC50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030C1310
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030C933C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx3_2_030C0330
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030EC370
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then dec ebx3_2_030E03D0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030C83FA
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]3_2_030A12C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030C82F2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h3_2_030E1160
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov di, 0008h3_2_030A91EF
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [edx+34h], 00000001h3_2_030A91EF
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+00000878h]3_2_030C91E6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030CD1F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esi+edx]3_2_030A1000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]3_2_030A7020
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+eax+23h], 00000000h3_2_030AF032
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+74h]3_2_030D305E
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030CE0B0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030CE0F2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-3Ch]3_2_030C87A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], cx3_2_030CF7FC
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]3_2_030B567D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]3_2_030B567D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]3_2_030B567D
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh3_2_030E56A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]3_2_030AF6F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+000000B8h]3_2_030B256A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+000001B8h]3_2_030B256A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+000000B8h]3_2_030B256A
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], cx3_2_030CF57C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_030DC5F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030CEB14
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h3_2_030BAB30
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_030C6B40
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]3_2_030A4B50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+000000A8h]3_2_030BDBE9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+000000A8h]3_2_030BDBE9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+000000A8h]3_2_030BDBE9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]3_2_030A5BE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]3_2_030ADA10
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh3_2_030E9960
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, ecx3_2_030B59E8
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h3_2_030B49F2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [eax+edi+02h], 0000h3_2_030BD816
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh3_2_030E6810
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]3_2_030CEF22
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]3_2_030CEF22
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]3_2_030CEF22
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_030CDF23
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah3_2_030EBF90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_030D0FA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h3_2_030EBE20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [esi+eax*4-04h]3_2_030ABE30
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [esi+eax]3_2_030E2E70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+000001B8h]3_2_030B2E74
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030E8EC0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [eax]3_2_030BEEE6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h3_2_030BEEE6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx3_2_030BEEE6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_030ADDA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_030C6DA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]3_2_030B4DA6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh3_2_030E5DE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh3_2_030CCDF0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh3_2_030CCDF0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_030CCDF0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]3_2_030B4C20
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h3_2_030EBCA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.5:53973 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.5:60072 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.5:62856 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.5:62804 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.5:62258 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.5:50204 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.5:63776 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.5:62869 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:64664 -> 104.21.16.12:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:64664 -> 104.21.16.12:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:64662 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:64662 -> 188.114.96.3:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: tearrybyiwo.shop
                Source: Malware configuration extractorURLs: captainynfanw.shop
                Source: Malware configuration extractorURLs: strappystyio.shop
                Source: Malware configuration extractorURLs: fossillargeiw.shop
                Source: Malware configuration extractorURLs: tendencerangej.shop
                Source: Malware configuration extractorURLs: nurserrsjwuwq.shop
                Source: Malware configuration extractorURLs: coursedonnyre.shop
                Source: Malware configuration extractorURLs: surveriysiop.shop
                Source: Malware configuration extractorURLs: appleboltelwk.shop
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                Source: Joe Sandbox ViewIP Address: 104.21.16.12 104.21.16.12
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: nurserrsjwuwq.shop
                Source: global trafficDNS traffic detected: DNS query: surveriysiop.shop
                Source: global trafficDNS traffic detected: DNS query: captainynfanw.shop
                Source: global trafficDNS traffic detected: DNS query: tearrybyiwo.shop
                Source: global trafficDNS traffic detected: DNS query: appleboltelwk.shop
                Source: global trafficDNS traffic detected: DNS query: tendencerangej.shop
                Source: global trafficDNS traffic detected: DNS query: fossillargeiw.shop
                Source: global trafficDNS traffic detected: DNS query: coursedonnyre.shop
                Source: global trafficDNS traffic detected: DNS query: strappystyio.shop
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: gravvitywio.store
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop
                Source: IGAnbXyZVx.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
                Source: IGAnbXyZVx.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
                Source: IGAnbXyZVx.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                Source: IGAnbXyZVx.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: IGAnbXyZVx.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: IGAnbXyZVx.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: IGAnbXyZVx.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: IGAnbXyZVx.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
                Source: IGAnbXyZVx.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                Source: IGAnbXyZVx.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: IGAnbXyZVx.exeString found in binary or memory: http://subca.ocsp-certum.com02
                Source: IGAnbXyZVx.exeString found in binary or memory: http://www.certum.pl/CPS0
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003392000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appleboltelwk.shop/
                Source: BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003392000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appleboltelwk.shop/L
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appleboltelwk.shop/api
                Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                Source: BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coursedonnyre.shop/api
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fossillargeiw.shop/api
                Source: IGAnbXyZVx.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/
                Source: BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/api
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/apil
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/bc
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/rc
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: BitLockerToGo.exe, 00000003.00000002.2492415527.000000000338B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nurserrsjwuwq.shop/api
                Source: IGAnbXyZVx.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
                Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900;
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strappystyio.shop/
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strappystyio.shop/api
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tendencerangej.shop/
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tendencerangej.shop/api
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tendencerangej.shop/ig
                Source: IGAnbXyZVx.exeString found in binary or memory: https://www.certum.pl/CPS0
                Source: IGAnbXyZVx.exeString found in binary or memory: https://www.globalsign.com/repository/0
                Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: unknownNetwork traffic detected: HTTP traffic on port 64663 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64662 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64664 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64662
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64664
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64663
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:64662 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:64663 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.5:64664 version: TLS 1.2
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D9FE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_030D9FE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D9FE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_030D9FE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030B03003_2_030B0300
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030E85853_2_030E8585
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030AFC503_2_030AFC50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A53103_2_030A5310
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030AB3203_2_030AB320
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030C933C3_2_030C933C
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030AA3303_2_030AA330
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A73703_2_030A7370
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030EC3703_2_030EC370
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030EA3C03_2_030EA3C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030EB2403_2_030EB240
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030AE2703_2_030AE270
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A12C03_2_030A12C0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A91EF3_2_030A91EF
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030B11E03_2_030B11E0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030CD1F03_2_030CD1F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A10003_2_030A1000
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A87103_2_030A8710
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A97473_2_030A9747
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A37903_2_030A3790
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030AA7F03_2_030AA7F0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D16903_2_030D1690
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030CC5103_2_030CC510
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030B0B303_2_030B0B30
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D29203_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030ACBA03_2_030ACBA0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030BDBE93_2_030BDBE9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030EAA303_2_030EAA30
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D29203_2_030D2920
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030E68103_2_030E6810
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030CE8A03_2_030CE8A0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030EAF503_2_030EAF50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030E8FA93_2_030E8FA9
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030ABE303_2_030ABE30
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030AAE903_2_030AAE90
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030BEEE63_2_030BEEE6
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030E9EE03_2_030E9EE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030EAD403_2_030EAD40
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030A7D703_2_030A7D70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D9D703_2_030D9D70
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030E5DE03_2_030E5DE0
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030DFC503_2_030DFC50
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 030AEC00 appears 157 times
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 030AC990 appears 45 times
                Source: IGAnbXyZVx.exeStatic PE information: Number of sections : 12 > 10
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IGAnbXyZVx.exe
                Source: IGAnbXyZVx.exe, 00000000.00000002.2462908522.00007FF7FE530000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiTunesSetup.exe0 vs IGAnbXyZVx.exe
                Source: IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IGAnbXyZVx.exe
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IGAnbXyZVx.exe
                Source: IGAnbXyZVx.exeBinary or memory string: OriginalFilenameiTunesSetup.exe0 vs IGAnbXyZVx.exe
                Source: IGAnbXyZVx.exeBinary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockx509: malformed validityexec: Stdout already setjson: unsupported type: invalid interlace method\Device\NamedPipe\cygwinstreamSafe was not resetzlib: invalid dictionaryinvalid pattern syntax: address string too shortresource length too longunpacking Question.Classidna: disallowed rune %Usequence number overflow^[a-zA-Z_][a-zA-Z0-9_]*$Asia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.ca-west-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.compi.us-gov-east-1.api.awspi.us-gov-west-1.api.awsrds.{region}.{dnsSuffix}sqs.{region}.{dnsSuffix}ssm.{region}.{dnsSuffix}sts.{region}.{dnsSuffix}flate: maxBits too largeTLS_PSK_WITH_AES_128_CCMGODEBUG sys/cpu: value "", required CPU feature
                Source: classification engineClassification label: mal87.troj.evad.winEXE@3/0@11/3
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030D5250 CoCreateInstance,3_2_030D5250
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeFile created: C:\Users\Public\Libraries\pmlha.scifJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeFile opened: C:\Windows\system32\af329a41ecddd1e24c464ce77c50e456259658029e6786b8eb3dc245028698c9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
                Source: IGAnbXyZVx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: IGAnbXyZVx.exeReversingLabs: Detection: 21%
                Source: IGAnbXyZVx.exeString found in binary or memory: 0-9a-zA-Z]accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
                Source: IGAnbXyZVx.exeString found in binary or memory: 0-9a-zA-Z]accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
                Source: IGAnbXyZVx.exeString found in binary or memory: net/addrselect.go
                Source: IGAnbXyZVx.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                Source: IGAnbXyZVx.exeString found in binary or memory: PMbEegzCOH/load.go
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeFile read: C:\Users\user\Desktop\IGAnbXyZVx.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\IGAnbXyZVx.exe "C:\Users\user\Desktop\IGAnbXyZVx.exe"
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: IGAnbXyZVx.exeStatic PE information: certificate valid
                Source: IGAnbXyZVx.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: IGAnbXyZVx.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: IGAnbXyZVx.exeStatic file information: File size 13700856 > 1048576
                Source: IGAnbXyZVx.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x40ec00
                Source: IGAnbXyZVx.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x869a00
                Source: IGAnbXyZVx.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: BitLockerToGo.pdb source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: BitLockerToGo.pdbGCTL source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
                Source: IGAnbXyZVx.exeStatic PE information: section name: .xdata
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1532Thread sleep time: -30000s >= -30000sJump to behavior
                Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003378000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: IGAnbXyZVx.exe, 00000000.00000002.2460312983.0000028A7CF3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_030E84C0 LdrInitializeThunk,3_2_030E84C0

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A0000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A0000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: strappystyio.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: coursedonnyre.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fossillargeiw.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tendencerangej.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: appleboltelwk.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tearrybyiwo.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: captainynfanw.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: surveriysiop.shop
                Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: nurserrsjwuwq.shop
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A0000Jump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E19008Jump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Users\user\Desktop\IGAnbXyZVx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\IGAnbXyZVx.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Go Injector
                Source: Yara matchFile source: IGAnbXyZVx.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.IGAnbXyZVx.exe.7ff7fd7b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IGAnbXyZVx.exe.7ff7fd7b0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2461513968.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2025429322.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IGAnbXyZVx.exe PID: 6432, type: MEMORYSTR
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Go Injector
                Source: Yara matchFile source: IGAnbXyZVx.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.IGAnbXyZVx.exe.7ff7fd7b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IGAnbXyZVx.exe.7ff7fd7b0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2461513968.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2025429322.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IGAnbXyZVx.exe PID: 6432, type: MEMORYSTR
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol2
                Clipboard Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                Process Injection                		Security Account Manager12
                System Information Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Deobfuscate/Decode Files or Information                		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                IGAnbXyZVx.exe21%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                http://www.certum.pl/CPS00%URL Reputationsafe
                https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                https://store.steampowered.com/points/shop/0%URL Reputationsafe
                https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                https://store.steampowered.com/about/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                https://help.steampowered.com/en/0%URL Reputationsafe
                https://store.steampowered.com/news/0%URL Reputationsafe
                http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                https://store.steampowered.com/stats/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                https://store.steampowered.com/legal/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
                https://store.steampowered.com/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
                https://www.certum.pl/CPS00%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
                http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
                https://store.steampowered.com/mobile0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=english0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=engl0%URL Reputationsafe
                https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		104.102.49.254
                		truefalse
                  		unknown
                  gravvitywio.store
                  		104.21.16.12
                  		truetrue
                    		unknown
                    nurserrsjwuwq.shop
                    		188.114.96.3
                    		truetrue
                      		unknown
                      fossillargeiw.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        strappystyio.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          coursedonnyre.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            captainynfanw.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              tearrybyiwo.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                surveriysiop.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  appleboltelwk.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    tendencerangej.shop
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      coursedonnyre.shoptrue
                                        		unknown
                                        strappystyio.shoptrue
                                          		unknown
                                          https://nurserrsjwuwq.shop/apitrue
                                            		unknown
                                            tearrybyiwo.shoptrue
                                              		unknown
                                              https://steamcommunity.com/profiles/76561199724331900true
                                              • URL Reputation: malware
                                              		unknown
                                              surveriysiop.shoptrue
                                                		unknown
                                                nurserrsjwuwq.shoptrue
                                                  		unknown
                                                  tendencerangej.shoptrue
                                                    		unknown
                                                    https://gravvitywio.store/apitrue
                                                      		unknown
                                                      captainynfanw.shoptrue
                                                        		unknown
                                                        fossillargeiw.shoptrue
                                                          		unknown
                                                          appleboltelwk.shoptrue
                                                            		unknown

                                                            URLs from Memory and Binaries

                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                            https://tendencerangej.shop/apiBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://github.com/golang/protobuf/issues/1609):IGAnbXyZVx.exefalse
                                                                    		unknown
                                                                    https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&amp;l=eBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://gravvitywio.store/BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://gravvitywio.store/apilBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://fossillargeiw.shop/apiBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://appleboltelwk.shop/BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003392000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.certum.pl/CPS0IGAnbXyZVx.exefalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://tendencerangej.shop/igBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://cevcsca2021.ocsp-certum.com07IGAnbXyZVx.exefalse
                                                                                    		unknown
                                                                                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://appleboltelwk.shop/LBitLockerToGo.exe, 00000003.00000002.2492415527.0000000003392000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wIGAnbXyZVx.exefalse
                                                                                        		unknown
                                                                                        https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                        • URL Reputation: malware
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://protobuf.dev/reference/go/faq#namespace-conflictnotIGAnbXyZVx.exefalse
                                                                                              		unknown
                                                                                              https://strappystyio.shop/BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://coursedonnyre.shop/apiBitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://store.steampowered.com/about/BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://help.steampowered.com/en/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://steamcommunity.com/market/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://store.steampowered.com/news/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZKBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://repository.certum.pl/cevcsca2021.cer0IGAnbXyZVx.exefalse
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://store.steampowered.com/stats/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://appleboltelwk.shop/apiBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://subca.ocsp-certum.com02IGAnbXyZVx.exefalse
                                                                                                                  		unknown
                                                                                                                  https://gravvitywio.store/bcBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://crl.certum.pl/ctnca2.crl0lIGAnbXyZVx.exefalse
                                                                                                                        		unknown
                                                                                                                        http://repository.certum.pl/ctnca2.cer09IGAnbXyZVx.exefalse
                                                                                                                          		unknown
                                                                                                                          https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/legal/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englBitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://www.certum.pl/CPS0IGAnbXyZVx.exefalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://tendencerangej.shop/BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://gravvitywio.store/rcBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://steamcommunity.com/profiles/76561199724331900;BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                  		unknown
                                                                                                                                  http://store.steampowered.com/account/cookiepreferences/BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://store.steampowered.com/mobileBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://strappystyio.shop/apiBitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://steamcommunity.com/BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=englishBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=englBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://steamcommunity.com/profiles/76561199724331900/badgesBitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                      • URL Reputation: malware
                                                                                                                                      		unknown

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      188.114.96.3
                                                                                                                                      		nurserrsjwuwq.shopEuropean Union
                                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                                      104.102.49.254
                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                      		16625AKAMAI-ASUSfalse
                                                                                                                                      104.21.16.12
                                                                                                                                      		gravvitywio.storeUnited States
                                                                                                                                      		13335CLOUDFLARENETUStrue

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                      Analysis ID:1524039
                                                                                                                                      Start date and time:2024-10-02 14:56:47 +02:00
                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 5m 9s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                      Number of analysed new started processes analysed:5
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample name:IGAnbXyZVx.exe
                                                                                                                                      renamed because original name is a hash value
                                                                                                                                      Original Sample Name:f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87.exe
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal87.troj.evad.winEXE@3/0@11/3
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 50%
                                                                                                                                      HCA Information:Failed
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                      Warnings

                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                      • Execution Graph export aborted for target IGAnbXyZVx.exe, PID 6432 because there are no executed function
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • VT rate limit hit for: IGAnbXyZVx.exe

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      08:58:20API Interceptor3x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      188.114.96.3http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                      • asm.alcateia.org/
                                                                                                                                      hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                                                                                                                                      z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      • www.bayarcepat19.click/g48c/
                                                                                                                                      update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      • www.bayarcepat19.click/5hcm/
                                                                                                                                      docs.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      • www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                                                                                                                                      https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                      • wwvmicrosx.live/office365/office_cookies/main/
                                                                                                                                      http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                      • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                                                                                                                                      http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                                                                                                                                      • mobilelegendsmycode.com/favicon.ico
                                                                                                                                      http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                      • download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
                                                                                                                                      ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      • www.chinaen.org/zi4g/
                                                                                                                                      104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                      • www.valvesoftware.com/legal.htm
                                                                                                                                      104.21.16.12file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                          b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  gravvitywio.storeN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  steamcommunity.comN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  Google_Chrome.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 104.102.49.254

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  CLOUDFLARENETUS35Mcl9DxHR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.178.253
                                                                                                                                                  N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.188.210
                                                                                                                                                  7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 172.67.140.92
                                                                                                                                                  l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.178.253
                                                                                                                                                  z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 104.26.12.205
                                                                                                                                                  http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.74.221
                                                                                                                                                  caZq8MavwF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.178.253
                                                                                                                                                  http://freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.26.11.241
                                                                                                                                                  CLOUDFLARENETUS35Mcl9DxHR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.178.253
                                                                                                                                                  N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.188.210
                                                                                                                                                  7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 172.67.209.193
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 172.67.140.92
                                                                                                                                                  l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.178.253
                                                                                                                                                  z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 104.26.12.205
                                                                                                                                                  http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.74.221
                                                                                                                                                  caZq8MavwF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 172.67.178.253
                                                                                                                                                  http://freemangas.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.26.11.241
                                                                                                                                                  AKAMAI-ASUSN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                  • 96.17.64.189
                                                                                                                                                  62-3590.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 96.17.64.189
                                                                                                                                                  DV2mrnfX2d.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                  • 23.56.162.185
                                                                                                                                                  eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                  • 96.17.64.189
                                                                                                                                                  Axactor Microsoft - Introduksjonsm#U00f8te.msgGet hashmaliciousEvilProxyBrowse
                                                                                                                                                  • 2.19.126.151
                                                                                                                                                  Axactor Microsoft - Introduksjonsm#U00f8te.msgGet hashmaliciousEvilProxyBrowse
                                                                                                                                                  • 104.102.21.248

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  FA_41_09_2024_.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  • 104.102.49.254
                                                                                                                                                  • 104.21.16.12
                                                                                                                                                  • 188.114.96.3

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  No created / dropped files found

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                  Entropy (8bit):4.6975289501283894
                                                                                                                                                  TrID:
                                                                                                                                                  • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                  • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                  File name:IGAnbXyZVx.exe
                                                                                                                                                  File size:13'700'856 bytes
                                                                                                                                                  MD5:6073814ce9d8799eed467e85f78d1599
                                                                                                                                                  SHA1:8984255be7f0b0099bfdfa280a03a74143933abb
                                                                                                                                                  SHA256:f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87
                                                                                                                                                  SHA512:c52ef4dffd8d6da096816c30468a613a6cacc9744244854a9fe87ce269d41cf9bd95e508ae7a7539d3828c8a3bf1105ecdf07c8f67cc600dc470ad05a30f4baa
                                                                                                                                                  SSDEEP:49152:LEUfyLzdIfsmDMrt94KOJhWqSGzPWU09GdAGXC/f/LUfgVFiLIneYCzVR2l3Pqqx:Ed2lMpqSGTpXiGaPNh2MEGlW2Ymx52G5
                                                                                                                                                  TLSH:A3D62843E89584E8C199D174892682627B75BC888B3577E73B60F7A83F36BD09F78314
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..@....................@.............................`......u.....`... ............................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:adaeb797f34b2b31

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x1400014c0
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:true
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                  TLS Callbacks:0x40404600, 0x1, 0x404045d0, 0x1, 0x40408070, 0x1
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:6
                                                                                                                                                  OS Version Minor:1
                                                                                                                                                  File Version Major:6
                                                                                                                                                  File Version Minor:1
                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                  Import Hash:c595f1660e1a3c84f4d9b0761d23cd7a

                                                                                                                                                  Authenticode Signature

                                                                                                                                                  Signature Valid:true
                                                                                                                                                  Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                                                  Error Number:0
                                                                                                                                                  Not Before, Not After
                                                                                                                                                  • 09/09/2024 05:06:13 09/09/2025 05:06:12
                                                                                                                                                  Subject Chain
                                                                                                                                                  • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                                                                                                                                  Version:3
                                                                                                                                                  Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                                                                                                                                  Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                                                                                                                                  Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                                                                                                                                  Serial:332576FE101609502C23F70055B4A3BE

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  dec eax
                                                                                                                                                  mov eax, dword ptr [00CD3D15h]
                                                                                                                                                  mov dword ptr [eax], 00000001h
                                                                                                                                                  call 00007F08A8EF291Fh
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  ret
                                                                                                                                                  nop dword ptr [eax]
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  dec eax
                                                                                                                                                  mov eax, dword ptr [00CD3CF5h]
                                                                                                                                                  mov dword ptr [eax], 00000000h
                                                                                                                                                  call 00007F08A8EF28FFh
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  ret
                                                                                                                                                  nop dword ptr [eax]
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  call 00007F08A9300B3Ch
                                                                                                                                                  dec eax
                                                                                                                                                  test eax, eax
                                                                                                                                                  sete al
                                                                                                                                                  movzx eax, al
                                                                                                                                                  neg eax
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  ret
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  dec eax
                                                                                                                                                  lea ecx, dword ptr [00000009h]
                                                                                                                                                  jmp 00007F08A8EF2C39h
                                                                                                                                                  nop dword ptr [eax+00h]
                                                                                                                                                  ret
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  jmp dword ptr [eax]
                                                                                                                                                  inc edi
                                                                                                                                                  outsd
                                                                                                                                                  and byte ptr [edx+75h], ah
                                                                                                                                                  imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                                                                                  and bh, byte ptr [ecx]
                                                                                                                                                  push 0000007Ah
                                                                                                                                                  dec esi
                                                                                                                                                  cmp dword ptr [esi+4Fh], ebp
                                                                                                                                                  xor bl, byte ptr [ecx+75h]
                                                                                                                                                  inc si
                                                                                                                                                  dec esp
                                                                                                                                                  outsd
                                                                                                                                                  outsb
                                                                                                                                                  jo 00007F08A8EF2CD3h
                                                                                                                                                  inc esp
                                                                                                                                                  pop edx
                                                                                                                                                  das
                                                                                                                                                  push edx
                                                                                                                                                  push eax
                                                                                                                                                  xor edx, dword ptr [ebp+43h]
                                                                                                                                                  jc 00007F08A8EF2CC1h
                                                                                                                                                  insb
                                                                                                                                                  bound ebp, dword ptr [edx+64h]
                                                                                                                                                  dec edi
                                                                                                                                                  cmp dword ptr [edi+4Ah], esp
                                                                                                                                                  push 2F647672h
                                                                                                                                                  jne 00007F08A8EF2CD2h
                                                                                                                                                  dec ebp
                                                                                                                                                  jno 00007F08A8EF2CC1h
                                                                                                                                                  xor ecx, dword ptr [edi+ebx*2+75h]
                                                                                                                                                  dec ecx
                                                                                                                                                  push 00567A35h

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0xd7b0000x4e.edata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd7c0000x1458.idata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd800000xf220.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0xcd60000x12d08.pdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xd0e6000x28f8.bss
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd900000x15874.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xcd4b400x28.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xd7c4940x458.idata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x40eba00x40ec008ff4d1b31f3c5ba3574dd3dfe8a82897unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x4100000x5b5f00x5b600a510143c4f3d3c7ea250d6cdcc17f234False0.3206438098495212dBase III DBT, version number 0, next free block index 10, 1st item "72QmG5U="4.759714448821153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rdata0x46c0000x8699900x869a00aee77ff99661b011e5355b1f4524f8c9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                  .pdata0xcd60000x12d080x12e00a27f1f180f9623471b154592c8239461False0.4086299668874172data5.552421527826989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                  .xdata0xce90000xc600xe006485c3ebbebdacb8f08f1e0428bbbf62False0.2603236607142857data4.007439794960949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                  .bss0xcea0000x908000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .edata0xd7b0000x4e0x200c44faf65e97a7d0add022be920a28cc1False0.130859375data0.8387805141107897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                  .idata0xd7c0000x14580x16005d92d1930adb934739d7379e6ed4b811False0.29829545454545453data4.346951006076005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .CRT0xd7e0000x700x200d8820e309ca16eb71b61c670dec5ce96False0.083984375data0.4362180131045608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .tls0xd7f0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0xd800000xf2200xf400911f498fe79233436ec77e36aa6798c7False0.03397156762295082data3.9336576696913537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .reloc0xd900000x158740x15a009b25b6099854bb6f9df6a44bf7e07b63False0.2500338692196532data5.438997416854795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_ICON0xd801600xe8acDevice independent bitmap graphic, 225 x 450 x 8, image size 51300, resolution 26574 x 26574 px/m, 256 important colors0.01606675172923242
                                                                                                                                                  RT_GROUP_ICON0xd8ea0c0x14data1.15
                                                                                                                                                  RT_VERSION0xd8ea200x2e0dataEnglishUnited States0.46875
                                                                                                                                                  RT_MANIFEST0xd8ed000x520XML 1.0 document, Unicode text, UTF-8 (with BOM) textEnglishUnited States0.4375

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                                                                                  msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                                                                                                                  Exports

                                                                                                                                                  NameOrdinalAddress
                                                                                                                                                  _cgo_dummy_export10x140d79a30

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishUnited States

                                                                                                                                                  Network Behavior

                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                  2024-10-02T14:58:20.992417+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.564662188.114.96.3443TCP
                                                                                                                                                  2024-10-02T14:58:20.992417+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.564662188.114.96.3443TCP
                                                                                                                                                  2024-10-02T14:58:21.000355+02002056054ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)1192.168.2.5628691.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.010471+02002056040ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)1192.168.2.5628561.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.023896+02002056056ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)1192.168.2.5502041.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.038716+02002056036ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)1192.168.2.5539731.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.052661+02002056058ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)1192.168.2.5628041.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.066841+02002056046ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)1192.168.2.5622581.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.162532+02002056042ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)1192.168.2.5600721.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:21.173967+02002056052ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)1192.168.2.5637761.1.1.153UDP
                                                                                                                                                  2024-10-02T14:58:23.461744+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.564664104.21.16.12443TCP
                                                                                                                                                  2024-10-02T14:58:23.461744+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.564664104.21.16.12443TCP

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Oct 2, 2024 14:58:19.929547071 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:19.929598093 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:19.929677963 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:19.931154966 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:19.931180954 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.394469976 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.394594908 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.399805069 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.399822950 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.400084019 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.453351021 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.457530975 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.457578897 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.457664967 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.992410898 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.992487907 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.992600918 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.995002031 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.995022058 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:20.995074034 CEST64662443192.168.2.5188.114.96.3
                                                                                                                                                  Oct 2, 2024 14:58:20.995085001 CEST44364662188.114.96.3192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.193691969 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:21.193728924 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.193820000 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:21.194399118 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:21.194413900 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.855376005 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.855582952 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:21.864423037 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:21.864456892 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.864746094 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.866041899 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:21.911415100 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.364090919 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.364114046 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.364151955 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.364160061 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.364191055 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.364207983 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.364214897 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.364232063 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.469311953 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.469336033 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.469468117 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.469497919 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.469538927 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.474600077 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.474678040 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.474682093 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.474716902 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.474877119 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.474895000 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.474924088 CEST64663443192.168.2.5104.102.49.254
                                                                                                                                                  Oct 2, 2024 14:58:22.474929094 CEST44364663104.102.49.254192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.489137888 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.489176035 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.489245892 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.489526987 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.489541054 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.953396082 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.953489065 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.955756903 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.955774069 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.956091881 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.957741022 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.957771063 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:22.957819939 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:23.461750984 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:23.461843967 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:23.461901903 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:23.462233067 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:23.462256908 CEST44364664104.21.16.12192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:23.462265968 CEST64664443192.168.2.5104.21.16.12
                                                                                                                                                  Oct 2, 2024 14:58:23.462270975 CEST44364664104.21.16.12192.168.2.5

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Oct 2, 2024 14:57:56.218969107 CEST53617761.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:19.910335064 CEST6061653192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:19.922651052 CEST53606161.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.000355005 CEST6286953192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.008704901 CEST53628691.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.010471106 CEST6285653192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.019601107 CEST53628561.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.023895979 CEST5020453192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.032908916 CEST53502041.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.038716078 CEST5397353192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.047777891 CEST53539731.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.052660942 CEST6280453192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.061496973 CEST53628041.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.066840887 CEST6225853192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.158896923 CEST53622581.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.162532091 CEST6007253192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.171128035 CEST53600721.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.173966885 CEST6377653192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.183176041 CEST53637761.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:21.185326099 CEST6478053192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:21.192526102 CEST53647801.1.1.1192.168.2.5
                                                                                                                                                  Oct 2, 2024 14:58:22.476207972 CEST6536953192.168.2.51.1.1.1
                                                                                                                                                  Oct 2, 2024 14:58:22.488413095 CEST53653691.1.1.1192.168.2.5

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Oct 2, 2024 14:58:19.910335064 CEST192.168.2.51.1.1.10xdf42Standard query (0)nurserrsjwuwq.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.000355005 CEST192.168.2.51.1.1.10xbe93Standard query (0)surveriysiop.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.010471106 CEST192.168.2.51.1.1.10x1e48Standard query (0)captainynfanw.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.023895979 CEST192.168.2.51.1.1.10xed54Standard query (0)tearrybyiwo.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.038716078 CEST192.168.2.51.1.1.10xcbc7Standard query (0)appleboltelwk.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.052660942 CEST192.168.2.51.1.1.10xee47Standard query (0)tendencerangej.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.066840887 CEST192.168.2.51.1.1.10xb88aStandard query (0)fossillargeiw.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.162532091 CEST192.168.2.51.1.1.10x9e9aStandard query (0)coursedonnyre.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.173966885 CEST192.168.2.51.1.1.10xf328Standard query (0)strappystyio.shopA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.185326099 CEST192.168.2.51.1.1.10x70f7Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:22.476207972 CEST192.168.2.51.1.1.10x488bStandard query (0)gravvitywio.storeA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Oct 2, 2024 14:58:19.922651052 CEST1.1.1.1192.168.2.50xdf42No error (0)nurserrsjwuwq.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:19.922651052 CEST1.1.1.1192.168.2.50xdf42No error (0)nurserrsjwuwq.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.008704901 CEST1.1.1.1192.168.2.50xbe93Name error (3)surveriysiop.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.019601107 CEST1.1.1.1192.168.2.50x1e48Name error (3)captainynfanw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.032908916 CEST1.1.1.1192.168.2.50xed54Name error (3)tearrybyiwo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.047777891 CEST1.1.1.1192.168.2.50xcbc7Name error (3)appleboltelwk.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.061496973 CEST1.1.1.1192.168.2.50xee47Name error (3)tendencerangej.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.158896923 CEST1.1.1.1192.168.2.50xb88aName error (3)fossillargeiw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.171128035 CEST1.1.1.1192.168.2.50x9e9aName error (3)coursedonnyre.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.183176041 CEST1.1.1.1192.168.2.50xf328Name error (3)strappystyio.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:21.192526102 CEST1.1.1.1192.168.2.50x70f7No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:22.488413095 CEST1.1.1.1192.168.2.50x488bNo error (0)gravvitywio.store104.21.16.12A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 2, 2024 14:58:22.488413095 CEST1.1.1.1192.168.2.50x488bNo error (0)gravvitywio.store172.67.209.193A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • nurserrsjwuwq.shop
                                                                                                                                                  • steamcommunity.com
                                                                                                                                                  • gravvitywio.store

                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.564662188.114.96.34435612C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-10-02 12:58:20 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                  Content-Length: 8
                                                                                                                                                  Host: nurserrsjwuwq.shop
                                                                                                                                                  2024-10-02 12:58:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                  2024-10-02 12:58:20 UTC770INHTTP/1.1 200 OK
                                                                                                                                                  Date: Wed, 02 Oct 2024 12:58:20 GMT
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: PHPSESSID=n79u2rr3h0jpj6g2e2udqnkgp0; expires=Sun, 26 Jan 2025 06:44:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HQ7CeSO2Nj9CoXVLgdeqjwgcqvPQ1P9MkLrB5K9k1THJ3tIkA6gxe45VzK8mFSccF21iv1TlTjYhjJzlmYVW5HxuZ2C5r0ePmuGZ10WfyqAitA%2FJ2ss%2F7yrPgIYELxcr6u14XGc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8cc4dd062fba8cbd-EWR
                                                                                                                                                  2024-10-02 12:58:20 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                  Data Ascii: aerror #D12
                                                                                                                                                  2024-10-02 12:58:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.564663104.102.49.2544435612C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-10-02 12:58:21 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                  2024-10-02 12:58:22 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Date: Wed, 02 Oct 2024 12:58:22 GMT
                                                                                                                                                  Content-Length: 34837
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: sessionid=827841376d88ab12af09fd65; Path=/; Secure; SameSite=None
                                                                                                                                                  Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                  2024-10-02 12:58:22 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                  2024-10-02 12:58:22 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                  Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                  2024-10-02 12:58:22 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                  Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                  2024-10-02 12:58:22 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                  Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  2192.168.2.564664104.21.16.124435612C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-10-02 12:58:22 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                  Content-Length: 8
                                                                                                                                                  Host: gravvitywio.store
                                                                                                                                                  2024-10-02 12:58:22 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                  2024-10-02 12:58:23 UTC768INHTTP/1.1 200 OK
                                                                                                                                                  Date: Wed, 02 Oct 2024 12:58:23 GMT
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: PHPSESSID=grh1uvge66q432c33u6ss9sap5; expires=Sun, 26 Jan 2025 06:45:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RBk2zXYeUR6b4KFIk8msCBdZEVIaa8KWOr1nKFFp6GO4FVaGn9R39PEKwF6q63Xqsj62kbVinKfF97UxmPxKEdwkCvRm4j6BJSrzUVKlXKQ6FhXOfB3XK3BpvQFknizczlKcjA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8cc4dd15ed78c347-EWR
                                                                                                                                                  2024-10-02 12:58:23 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                  Data Ascii: aerror #D12
                                                                                                                                                  2024-10-02 12:58:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:08:57:36
                                                                                                                                                  Start date:02/10/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\IGAnbXyZVx.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\IGAnbXyZVx.exe"
                                                                                                                                                  Imagebase:0x7ff7fd7b0000
                                                                                                                                                  File size:13'700'856 bytes
                                                                                                                                                  MD5 hash:6073814CE9D8799EED467E85F78D1599
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Go lang
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.2461513968.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.2025429322.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:3
                                                                                                                                                  Start time:08:58:19
                                                                                                                                                  Start date:02/10/2024
                                                                                                                                                  Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                  Imagebase:0x480000
                                                                                                                                                  File size:231'736 bytes
                                                                                                                                                  MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:true

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:1.3%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:63.8%
                                                                                                                                                    Total number of Nodes:69
                                                                                                                                                    Total number of Limit Nodes:10
                                                                                                                                                    execution_graph 19755 30af248 19756 30af25f 19755->19756 19759 30afc50 19756->19759 19758 30af2ae 19762 30afce0 19759->19762 19760 30b05d3 19760->19758 19763 30b003e 19762->19763 19764 30afd05 19762->19764 19766 30e7ed0 19762->19766 19763->19758 19764->19758 19764->19760 19765 30e7ed0 RtlAllocateHeap RtlReAllocateHeap 19764->19765 19765->19764 19767 30e7f4c 19766->19767 19768 30e7f52 19766->19768 19771 30e7eeb 19766->19771 19772 30e4ec0 19767->19772 19768->19762 19769 30e7f36 RtlReAllocateHeap 19769->19768 19771->19768 19771->19769 19773 30e4f16 RtlAllocateHeap 19772->19773 19774 30e4ee6 19772->19774 19774->19773 19775 30ad0f0 19776 30ad0f9 19775->19776 19777 30ad2ce ExitProcess 19776->19777 19778 30ad101 GetInputState 19776->19778 19779 30ad10e 19778->19779 19780 30ad2c9 19779->19780 19781 30ad116 GetCurrentThreadId GetCurrentProcessId 19779->19781 19796 30e7eb0 19780->19796 19785 30ad14d 19781->19785 19789 30aec10 19785->19789 19791 30aec38 19789->19791 19790 30aecfa LoadLibraryExW 19794 30aed0f 19790->19794 19791->19790 19792 30ad2bb 19792->19780 19795 30b2080 CoInitialize 19792->19795 19794->19792 19799 30af6f0 19794->19799 19807 30e9490 19796->19807 19798 30e7eb5 FreeLibrary 19798->19777 19800 30af72f 19799->19800 19803 30b0300 19800->19803 19802 30af8fd 19802->19794 19806 30b0568 19803->19806 19804 30b05d3 19804->19802 19805 30e7ed0 RtlAllocateHeap RtlReAllocateHeap 19805->19806 19806->19804 19806->19805 19806->19806 19808 30e9499 19807->19808 19808->19798 19809 30e8585 19822 30e85a0 19809->19822 19810 30e86f8 19811 30e896c 19812 30e89fe 19817 30e8a42 19812->19817 19819 30e8ccb 19812->19819 19820 30e8d3e 19812->19820 19821 30e8c1a 19812->19821 19813 30e892e 19813->19812 19814 30e8963 19813->19814 19813->19817 19827 30e84c0 LdrInitializeThunk 19813->19827 19814->19811 19829 30e84c0 LdrInitializeThunk 19814->19829 19817->19814 19828 30e84c0 LdrInitializeThunk 19817->19828 19819->19820 19819->19821 19831 30e84c0 LdrInitializeThunk 19819->19831 19830 30e84c0 LdrInitializeThunk 19820->19830 19822->19810 19822->19812 19822->19813 19822->19814 19822->19817 19826 30e84c0 LdrInitializeThunk 19822->19826 19826->19813 19827->19812 19828->19814 19829->19811 19830->19820 19831->19820 19832 30b0300 19835 30b0568 19832->19835 19833 30b05d3 19834 30e7ed0 RtlAllocateHeap RtlReAllocateHeap 19834->19835 19835->19833 19835->19834 19835->19835 19836 30e4fd2 RtlFreeHeap 19837 30e4fdc 19836->19837 19838 30eb8a0 19840 30eb8c0 19838->19840 19839 30eb9de 19840->19839 19842 30e84c0 LdrInitializeThunk 19840->19842 19842->19839

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 030AFC50 Relevance: 10.8, Strings: 8, Instructions: 837COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 0 30afc50-30afcdb 1 30afce0-30afce9 0->1 1->1 2 30afceb-30afcfe 1->2 4 30afd0c-30aff39 2->4 5 30afd05-30afd07 2->5 7 30aff3b 4->7 8 30aff68-30aff8d 4->8 6 30b02df-30b02e6 5->6 9 30b05c1-30b05cc 6->9 10 30aff40-30aff66 call 30b1ee0 7->10 25 30b01cb-30b01e4 8->25 26 30b01eb-30b01fb 8->26 27 30b0128-30b014a 8->27 28 30b0188-30b0199 8->28 29 30b000f-30b001d 8->29 30 30b02cd-30b02dc 8->30 31 30b0026-30b0037 8->31 32 30b0046-30b0060 8->32 33 30b0178-30b0181 8->33 34 30b009f-30b00c1 8->34 35 30b003e 8->35 36 30b019e-30b01c4 8->36 37 30b027d-30b0285 8->37 38 30b0292-30b0295 8->38 39 30b0250-30b0268 call 30e7ed0 8->39 40 30aff94-30b0008 call 30ac8e0 8->40 12 30b05ff-30b060d 9->12 13 30b090d-30b091d 9->13 14 30b05d3-30b05da 9->14 15 30b05e1 9->15 16 30b05f0-30b05f6 call 30e4f40 9->16 17 30b05e7-30b05ed call 30e4f40 9->17 18 30b0616-30b0625 9->18 19 30b0614 9->19 10->8 12->18 12->19 13->18 13->19 23 30b0930-30b0935 13->23 14->12 14->15 14->16 14->17 14->18 14->19 15->17 16->12 17->16 19->18 56 30b093c 23->56 25->26 25->37 25->38 25->39 53 30b022a-30b022e 26->53 45 30b014c-30b014f 27->45 46 30b0110-30b0122 27->46 49 30b029c-30b02a5 28->49 29->31 30->6 31->25 31->26 31->27 31->28 31->32 31->33 31->34 31->35 31->36 31->37 31->38 31->39 51 30b0062 32->51 52 30b0096 32->52 33->25 33->26 33->28 33->36 33->37 33->38 33->39 41 30b00c3 34->41 42 30b00f6-30b0108 34->42 35->32 36->25 36->26 36->37 36->38 36->39 44 30b0290 37->44 38->49 39->9 39->30 39->37 39->38 39->44 64 30b0228 39->64 65 30b026f-30b0276 39->65 66 30b02ae-30b02b5 39->66 67 30b01fd-30b0221 39->67 68 30b02c0-30b02c7 39->68 69 30b0626-30b064e 39->69 40->25 40->26 40->27 40->28 40->29 40->31 40->32 40->33 40->34 40->35 40->36 40->37 40->38 40->39 54 30b00d0-30b00f4 call 30b1f60 41->54 42->27 57 30b0150-30b0174 call 30b1f60 45->57 46->27 49->66 61 30b0070-30b0094 call 30b2000 51->61 52->34 62 30b0235-30b0249 53->62 54->42 76 30b0942-30b0955 56->76 96 30b0176 57->96 61->52 62->37 62->39 64->53 65->9 65->30 65->37 65->38 65->44 65->64 65->66 65->68 65->69 66->68 67->9 67->30 67->37 67->38 67->44 67->64 67->66 67->68 68->30 79 30b067b-30b0684 69->79 80 30b0650-30b0679 call 30b19d0 69->80 82 30b0a63-30b0a6e 76->82 83 30b0980-30b098b call 30e7ed0 76->83 84 30b09a7-30b09aa 76->84 85 30b0a07-30b0a0d 76->85 86 30b0965-30b0973 call 30e7ed0 76->86 87 30b0a1b 76->87 88 30b095c 76->88 89 30b0a32-30b0a39 76->89 90 30b09f2-30b0a00 76->90 91 30b09d0-30b09ec 76->91 92 30b0994-30b09a0 76->92 93 30b09b4-30b09c9 76->93 94 30b0a14 76->94 116 30b068a-30b069a 79->116 80->79 82->23 82->76 82->82 82->83 82->84 82->85 82->86 82->87 82->88 82->89 82->90 82->91 82->92 82->93 82->94 109 30b0a21-30b0a2d 82->109 110 30b08e5 82->110 111 30b0a90-30b0aa1 82->111 112 30b0a75-30b0a77 82->112 83->92 84->93 85->82 85->87 85->89 85->94 86->83 88->86 100 30b08eb 89->100 101 30b0b0d 89->101 102 30b0aed-30b0af4 89->102 103 30b0a40 89->103 104 30b0a50 89->104 105 30b0ae0-30b0ae3 89->105 106 30b0b00-30b0b07 89->106 107 30b0a56-30b0a59 89->107 108 30b0b14 89->108 90->82 90->85 90->87 90->89 90->94 91->90 92->82 92->84 92->85 92->87 92->89 92->90 92->91 92->93 92->94 93->91 94->87 96->46 124 30b08f5-30b0906 100->124 101->108 102->106 103->104 104->107 105->102 106->101 107->82 125 30b0b1b 108->125 109->23 110->100 127 30b0aab-30b0aba 111->127 126 30b0a7e-30b0a89 112->126 116->100 117 30b06a1-30b06c2 116->117 121 30b06fb-30b073b 117->121 122 30b06c4 117->122 131 30b076b-30b0787 121->131 132 30b073d-30b073f 121->132 130 30b06d0-30b06f9 call 30b1ad0 122->130 124->12 124->13 124->14 124->15 124->16 124->17 124->18 124->19 125->125 126->23 126->76 126->82 126->83 126->84 126->85 126->86 126->87 126->88 126->89 126->90 126->91 126->92 126->93 126->94 126->109 126->110 126->111 135 30b0ac1-30b0ad3 127->135 130->121 131->105 140 30b078e-30b07aa 131->140 134 30b0740-30b0769 call 30b1a50 132->134 134->131 141 30b0ada 135->141 140->23 140->76 140->82 140->83 140->84 140->85 140->86 140->87 140->88 140->89 140->90 140->91 140->92 140->93 140->94 140->109 140->110 140->111 140->112 140->127 140->135 142 30b07bb-30b0827 140->142 143 30b07b1-30b07b3 140->143 141->105 144 30b085b-30b0863 142->144 145 30b0829 142->145 143->142 147 30b0882-30b0892 144->147 148 30b0865-30b086f 144->148 146 30b0830-30b0859 call 30b1b40 145->146 146->144 151 30b08b6-30b08d8 147->151 152 30b0894-30b0896 147->152 150 30b0870-30b0880 148->150 150->147 150->150 151->110 154 30b08a0-30b08b2 152->154 154->154 155 30b08b4 154->155 155->151
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4K$?8$X523$\S$c9k7$'&%$+)$wu
                                                                                                                                                    • API String ID: 0-2961266634
                                                                                                                                                    • Opcode ID: 8b750f4bd957ae135554ceb481794fe48a41d99e115e5afb50c5b33aa71562b5
                                                                                                                                                    • Instruction ID: b0158703f4c7f7e08bb15b14dd3f88344800a56b777b8ecccd526c95d7432815
                                                                                                                                                    • Opcode Fuzzy Hash: 8b750f4bd957ae135554ceb481794fe48a41d99e115e5afb50c5b33aa71562b5
                                                                                                                                                    • Instruction Fuzzy Hash: 646279B4109740DFD3249F29D890BABBBF5FF85710F04491CE99A8BA94D739E844CB92
                                                                                                                                                    Function 030AD0F0 Relevance: 6.2, APIs: 4, Instructions: 154threadCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 182 30ad0f0-30ad0fb call 30e6a90 185 30ad2ce-30ad2d0 ExitProcess 182->185 186 30ad101-30ad110 GetInputState call 30ddfc0 182->186 189 30ad2c9 call 30e7eb0 186->189 190 30ad116-30ad14b GetCurrentThreadId GetCurrentProcessId 186->190 189->185 191 30ad14d-30ad14f 190->191 192 30ad176-30ad193 190->192 194 30ad150-30ad174 call 30ad2e0 191->194 195 30ad1c6-30ad1c8 192->195 196 30ad195 192->196 194->192 199 30ad1ce-30ad1ea 195->199 200 30ad266-30ad283 195->200 198 30ad1a0-30ad1c4 call 30ad350 196->198 198->195 201 30ad1ec-30ad1ef 199->201 202 30ad216-30ad233 199->202 204 30ad2b6 call 30aec10 200->204 205 30ad285 200->205 207 30ad1f0-30ad214 call 30ad3c0 201->207 202->200 208 30ad235 202->208 212 30ad2bb-30ad2bd 204->212 209 30ad290-30ad2b4 call 30ad4d0 205->209 207->202 214 30ad240-30ad264 call 30ad440 208->214 209->204 212->189 216 30ad2bf-30ad2c4 call 30b2080 call 30b02f0 212->216 214->200 216->189
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentProcess$ExitInputStateThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029096631-0
                                                                                                                                                    • Opcode ID: d790a58de7bb327d7367ad6d2a951c17ad8bf75682e2d7bbfd9d51a69d338dcb
                                                                                                                                                    • Instruction ID: 19393e782d9002d6b2403055b79fb2676b7c5222caeab0ff91c282a90b56ae54
                                                                                                                                                    • Opcode Fuzzy Hash: d790a58de7bb327d7367ad6d2a951c17ad8bf75682e2d7bbfd9d51a69d338dcb
                                                                                                                                                    • Instruction Fuzzy Hash: 7741287490E740ABD301FB98E594A1EFBF5EFA6641F188D0CE5C48B612C235D854CB67
                                                                                                                                                    Function 030B0300 Relevance: 4.3, Strings: 3, Instructions: 501COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 224 30b0300-30b0566 225 30b0568 224->225 226 30b059d-30b05ba 224->226 227 30b0570-30b059b call 30b1950 225->227 231 30b08eb 226->231 232 30b05c1-30b05cc 226->232 233 30b06a1-30b06c2 226->233 234 30b0626-30b064e 226->234 227->226 248 30b08f5-30b0906 231->248 239 30b05ff-30b060d 232->239 240 30b090d-30b091d 232->240 241 30b05d3-30b05da 232->241 242 30b05e1 232->242 243 30b05f0-30b05f6 call 30e4f40 232->243 244 30b05e7-30b05ed call 30e4f40 232->244 245 30b0616-30b0625 232->245 246 30b0614 232->246 235 30b06fb-30b073b 233->235 236 30b06c4 233->236 237 30b067b-30b0684 234->237 238 30b0650-30b0679 call 30b19d0 234->238 249 30b076b-30b0787 235->249 250 30b073d-30b073f 235->250 247 30b06d0-30b06f9 call 30b1ad0 236->247 260 30b068a-30b069a 237->260 238->237 239->245 239->246 240->245 240->246 251 30b0930-30b0935 240->251 241->239 241->242 241->243 241->244 241->245 241->246 242->244 243->239 244->243 246->245 247->235 248->239 248->240 248->241 248->242 248->243 248->244 248->245 248->246 266 30b078e-30b07aa 249->266 267 30b0ae0-30b0ae3 249->267 258 30b0740-30b0769 call 30b1a50 250->258 263 30b093c 251->263 258->249 260->231 260->233 268 30b0942-30b0955 263->268 266->251 266->268 269 30b0aab-30b0aba 266->269 270 30b0a63-30b0a6e 266->270 271 30b0ac1-30b0ad3 266->271 272 30b0a21-30b0a2d 266->272 273 30b0980-30b098b call 30e7ed0 266->273 274 30b09a7-30b09aa 266->274 275 30b0a07-30b0a0d 266->275 276 30b08e5 266->276 277 30b0965-30b0973 call 30e7ed0 266->277 278 30b07bb-30b0827 266->278 279 30b0a1b 266->279 280 30b095c 266->280 281 30b0a32-30b0a39 266->281 282 30b09f2-30b0a00 266->282 283 30b07b1-30b07b3 266->283 284 30b0a90-30b0aa1 266->284 285 30b09d0-30b09ec 266->285 286 30b0a75-30b0a77 266->286 287 30b0994-30b09a0 266->287 288 30b09b4-30b09c9 266->288 289 30b0a14 266->289 291 30b0aed-30b0af4 267->291 268->270 268->273 268->274 268->275 268->277 268->279 268->280 268->281 268->282 268->285 268->287 268->288 268->289 269->271 270->251 270->268 270->270 270->272 270->273 270->274 270->275 270->276 270->277 270->279 270->280 270->281 270->282 270->284 270->285 270->286 270->287 270->288 270->289 306 30b0ada 271->306 272->251 273->287 274->288 275->270 275->279 275->281 275->289 276->231 277->273 299 30b085b-30b0863 278->299 300 30b0829 278->300 280->277 281->231 281->267 290 30b0b0d 281->290 281->291 292 30b0a40 281->292 293 30b0a50 281->293 294 30b0b00-30b0b07 281->294 295 30b0a56-30b0a59 281->295 296 30b0b14 281->296 282->270 282->275 282->279 282->281 282->289 283->278 284->269 285->282 302 30b0a7e-30b0a89 286->302 287->270 287->274 287->275 287->279 287->281 287->282 287->285 287->288 287->289 288->285 289->279 290->296 291->294 292->293 293->295 294->290 295->270 310 30b0b1b 296->310 307 30b0882-30b0892 299->307 308 30b0865-30b086f 299->308 305 30b0830-30b0859 call 30b1b40 300->305 302->251 302->268 302->270 302->272 302->273 302->274 302->275 302->276 302->277 302->279 302->280 302->281 302->282 302->284 302->285 302->287 302->288 302->289 305->299 306->267 313 30b08b6-30b08d8 307->313 314 30b0894-30b0896 307->314 312 30b0870-30b0880 308->312 310->310 312->307 312->312 313->276 318 30b08a0-30b08b2 314->318 318->318 319 30b08b4 318->319 319->313
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ++)$XoNm$\S
                                                                                                                                                    • API String ID: 0-4021835284
                                                                                                                                                    • Opcode ID: e050f1cc9e80ef8cbee174d78e02a6f94344c6bd66935bb3038b9a5ad5ae89b1
                                                                                                                                                    • Instruction ID: a24b8be20bbe3289593919a1dd35c4c07775ba80c9d7132f50603537ea068423
                                                                                                                                                    • Opcode Fuzzy Hash: e050f1cc9e80ef8cbee174d78e02a6f94344c6bd66935bb3038b9a5ad5ae89b1
                                                                                                                                                    • Instruction Fuzzy Hash: 011255B400A381DFD324AF25D890B9FBBF9FB86744F04481CEA889B654D7799844CF96
                                                                                                                                                    Function 030E8585 Relevance: 3.3, Strings: 2, Instructions: 807COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: %sgh$4`[b
                                                                                                                                                    • API String ID: 0-1596593044
                                                                                                                                                    • Opcode ID: 615a6a2103bb8ba390af741e8c560fc60c72c6c78cb16fb1673f47a18ab6f617
                                                                                                                                                    • Instruction ID: e3bea6ab182fea7d4065bd85de13ab2dda99e9867e089d001ffca15a57d5285b
                                                                                                                                                    • Opcode Fuzzy Hash: 615a6a2103bb8ba390af741e8c560fc60c72c6c78cb16fb1673f47a18ab6f617
                                                                                                                                                    • Instruction Fuzzy Hash: F74290B5E0221ACFDB14CF94D890ABEBBB1FF4A704F188858E451AB791D3359940CFA1
                                                                                                                                                    Function 030E84C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 594 30e84c0-30e84f2 LdrInitializeThunk
                                                                                                                                                    APIs
                                                                                                                                                    • LdrInitializeThunk.NTDLL(030E5D31,00000001,00000005,?,00000000,?,?,030C1375), ref: 030E84EE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                    • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                    • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                    • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                    • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                    Function 030AEC10 Relevance: 1.7, APIs: 1, Instructions: 239libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 503 30aec10-30aec36 504 30aec38 503->504 505 30aec69-30aecbd 503->505 506 30aec40-30aec67 call 30b13e0 504->506 507 30aecfa-30aed0a LoadLibraryExW call 30e67d0 505->507 508 30aecbf 505->508 506->505 512 30aed0f-30aed12 507->512 511 30aecc0-30aecf8 call 30b1350 508->511 511->507 516 30aed19-30aed1b 512->516 517 30aee7e-30aee9b call 30e14a0 512->517 518 30aef22-30aef2f 512->518 519 30aed20-30aee54 call 30eaf50 * 12 512->519 520 30aee60-30aee65 512->520 521 30aef65-30aef71 512->521 525 30af1c4-30af1ce 516->525 533 30aeea0-30aeea7 517->533 523 30aef51-30aef5e 518->523 524 30aef31-30aef35 518->524 519->517 519->518 519->520 519->521 520->521 527 30aef78 520->527 528 30af1c2 520->528 529 30aee6c-30aee77 520->529 521->527 521->528 523->521 523->527 523->528 523->529 531 30aef40-30aef4f 524->531 528->525 529->517 529->518 529->520 529->521 531->523 531->531 533->533 535 30aeea9-30aeeb4 533->535 537 30aef0a-30aef1b call 30af6f0 535->537 538 30aeeb6-30aeeb8 535->538 537->518 537->520 540 30aeec0-30aeec3 538->540 544 30aef00-30aef03 540->544 545 30aeec5-30aeee4 call 30b11e0 540->545 548 30aef06 544->548 552 30aeeee-30aeef4 545->552 553 30aeee6-30aeeec 545->553 548->537 552->548 553->540 553->552
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNEL32(C36BC157,00000000), ref: 030AED02
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: 1afc6d2e069fbd5c5d937737c650c2b7de697e4ab43d047cbcbeeed733ca53fe
                                                                                                                                                    • Instruction ID: 26301ae7ba7893003ad38573ce15c7adfd4e61d4508eb43f01f8a99482c24604
                                                                                                                                                    • Opcode Fuzzy Hash: 1afc6d2e069fbd5c5d937737c650c2b7de697e4ab43d047cbcbeeed733ca53fe
                                                                                                                                                    • Instruction Fuzzy Hash: 0081E1B590A340DFD301FF5CFC516AABBE1FF85744F450C28E8849A654E3399928CBA2
                                                                                                                                                    Function 030E7ED0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 569 30e7ed0-30e7ee4 570 30e7f6e-30e7f74 call 30e4f40 569->570 571 30e7f4c-30e7f4d call 30e4ec0 569->571 572 30e7f5d 569->572 573 30e7eeb-30e7ef2 569->573 574 30e7ef9-30e7f0e 569->574 575 30e7f57 569->575 576 30e7f65-30e7f6b call 30e4f40 569->576 586 30e7f52-30e7f55 571->586 577 30e7f5f-30e7f64 572->577 573->570 573->572 573->574 573->575 573->576 580 30e7f36-30e7f4a RtlReAllocateHeap 574->580 581 30e7f10-30e7f34 call 30e8430 574->581 575->572 576->570 580->577 581->580 586->577
                                                                                                                                                    APIs
                                                                                                                                                    • RtlReAllocateHeap.NTDLL(C2C3CCCD,00000000,?,?), ref: 030E7F44
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                    • Opcode ID: daba4d8c184f5911540808e8acb9b1212a21fa96121f47195e23392f87ecacd7
                                                                                                                                                    • Instruction ID: cde148e732b243efd535536a0049854054b24e7e6c6886b86054f74df9a1ca3a
                                                                                                                                                    • Opcode Fuzzy Hash: daba4d8c184f5911540808e8acb9b1212a21fa96121f47195e23392f87ecacd7
                                                                                                                                                    • Instruction Fuzzy Hash: 8D11707560A240DFC301BB28F900A5FBBE4EF96A15F454968E4848B215D73AD815CBA3
                                                                                                                                                    Function 030E4EC0 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 588 30e4ec0-30e4ee4 589 30e4f16-30e4f2f RtlAllocateHeap 588->589 590 30e4ee6 588->590 591 30e4ef0-30e4f14 call 30e8330 590->591 591->589
                                                                                                                                                    APIs
                                                                                                                                                    • RtlAllocateHeap.NTDLL(C2C3CCCD,00000000,?), ref: 030E4F23
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                    • Opcode ID: dd1ff6e0612ef2fd559c3e7e51b95ca1dc77a2da814dbb6471cac0d131c1d562
                                                                                                                                                    • Instruction ID: bbda40b2dce63a47284b524b0e1a82aa5ab147a751dbb196980e0b378c7357fd
                                                                                                                                                    • Opcode Fuzzy Hash: dd1ff6e0612ef2fd559c3e7e51b95ca1dc77a2da814dbb6471cac0d131c1d562
                                                                                                                                                    • Instruction Fuzzy Hash: 36F0F93460A2409FD305EB59D954A1AFBF5EF9A600F14881CE4C487362C335D814CBA6
                                                                                                                                                    Function 030E4FD2 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 595 30e4fd2-30e4fd6 RtlFreeHeap 596 30e4fdc-30e4fe0 595->596
                                                                                                                                                    APIs
                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000), ref: 030E4FD6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                    • Opcode ID: f08644be3d63fd82d08ee60bd6dd8799532307ce70cffe630e84b716fc750221
                                                                                                                                                    • Instruction ID: ce26daedf6e15ae43376b270aad04d4ca928a91b147abb8629b109bb142fb08a
                                                                                                                                                    • Opcode Fuzzy Hash: f08644be3d63fd82d08ee60bd6dd8799532307ce70cffe630e84b716fc750221
                                                                                                                                                    • Instruction Fuzzy Hash: 52A022B080222023C8A033E83C0EFC33F0C8F8E33CF000000F20888088C8A800E0C0F8

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 030BEEE6 Relevance: 30.7, Strings: 23, Instructions: 1993COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: !"#$ !"#$ ?$$%&'$$%&'$()*+$(O0$,-$,-./$0123$4`[b$89:;$<=>?$HPK$P7c5$PQRS$\]^_$gfed$srqp$wr$x+f)$)/$IK
                                                                                                                                                    • API String ID: 0-331943592
                                                                                                                                                    • Opcode ID: 7071a95b1a3ab41aff8ad4a53cadf3be29e767f6a9d93ab6a39befb774380bfd
                                                                                                                                                    • Instruction ID: 9335511e11ba01782855a3592849451e6a3a5bf6ca8b5a391e695807816e6631
                                                                                                                                                    • Opcode Fuzzy Hash: 7071a95b1a3ab41aff8ad4a53cadf3be29e767f6a9d93ab6a39befb774380bfd
                                                                                                                                                    • Instruction Fuzzy Hash: 83F288B4605B419FD764DF28C880BABBBF5EF85304F48891CE4EA8B291D735A544CF92
                                                                                                                                                    Function 030CD1F0 Relevance: 25.0, APIs: 1, Strings: 13, Instructions: 463COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: #$/O9I$4`[b$<C-M$F;UE$HK$T3l=$_?J9$b/r)$f7y1$k'B!$q+i5$}#s-
                                                                                                                                                    • API String ID: 0-1986694216
                                                                                                                                                    • Opcode ID: 66bc0c1b35b5412f77055cc1a2ad2f12f083446d9c45065aa81e6c038c9d1d0b
                                                                                                                                                    • Instruction ID: 89e1815fae0c174e9cf6f78a371f742270e719dff4b0b21f664a1592871aeb71
                                                                                                                                                    • Opcode Fuzzy Hash: 66bc0c1b35b5412f77055cc1a2ad2f12f083446d9c45065aa81e6c038c9d1d0b
                                                                                                                                                    • Instruction Fuzzy Hash: 29E1CAB890A380CFD314EF28E880A2FBBE5FB96344F48092CF5859B251D735D954CB92
                                                                                                                                                    Function 030D2920 Relevance: 24.0, APIs: 4, Strings: 8, Instructions: 2965COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: $%)V$%w u$6T^{$BRPJ$P\xm$[o]'$^ffV$~PF9
                                                                                                                                                    • API String ID: 0-3803644744
                                                                                                                                                    • Opcode ID: 884dc631eb2079f012dfeb931b037b1012307f755f1597e06bc0b69cc3fddc8f
                                                                                                                                                    • Instruction ID: 74428e85e1c469d2583ca5785d12eb5d53bd3070fe4d50ce78d6bb961fc98a8c
                                                                                                                                                    • Opcode Fuzzy Hash: 884dc631eb2079f012dfeb931b037b1012307f755f1597e06bc0b69cc3fddc8f
                                                                                                                                                    • Instruction Fuzzy Hash: 8D239A74506B808FE762CF39C490BA3FBE5AF56305F08499DD4EB8B282D779A405CB61
                                                                                                                                                    Function 030C87A0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 432COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ,Y&[$1Q;S$6A.C$;I{K$;M1O$K9;U=J?$U=J?
                                                                                                                                                    • API String ID: 0-4102699007
                                                                                                                                                    • Opcode ID: 1c40f2d614d366aec0bc279d74ec9247b596ecd94f6d69407f86c87624eaa172
                                                                                                                                                    • Instruction ID: 85001805f3ad1a158dcbef7c45e5448594dedce322bb22005cc567d2442f2617
                                                                                                                                                    • Opcode Fuzzy Hash: 1c40f2d614d366aec0bc279d74ec9247b596ecd94f6d69407f86c87624eaa172
                                                                                                                                                    • Instruction Fuzzy Hash: 96E199B4D1264AEFDB14CF95E881A9EFBB0FF06310F148518E855ABB11E734A861CF94
                                                                                                                                                    Function 030B256A Relevance: 14.2, APIs: 1, Strings: 8, Instructions: 692COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Uninitialize
                                                                                                                                                    • String ID: &/.1$@'A)$Dd`v$E#S%$L$L+%-$pX$|
                                                                                                                                                    • API String ID: 3861434553-1518744163
                                                                                                                                                    • Opcode ID: d9dff3d7f7059c74784b200720b21ccc84afe064e9ba1a6fb07623ccf44ba94f
                                                                                                                                                    • Instruction ID: d902a406dd375b6bccfa1edbaa5d607f137c84347194570fdc82e1081e943ae8
                                                                                                                                                    • Opcode Fuzzy Hash: d9dff3d7f7059c74784b200720b21ccc84afe064e9ba1a6fb07623ccf44ba94f
                                                                                                                                                    • Instruction Fuzzy Hash: 44327A7840A3808BD7A1EF289450BEFBBE9AF92704F140C5CD4C99B252DB359549CBA7
                                                                                                                                                    Function 030ADA10 Relevance: 14.0, Strings: 11, Instructions: 268COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: '<$!$(4;9$/5>z$I60=$I|w.$P4>&$jc$jlbj$m'i($rk))$uysy
                                                                                                                                                    • API String ID: 0-673111315
                                                                                                                                                    • Opcode ID: 78afb087ad657bc8f72155c5b21ed4845193bdc33b44fc35983d704598fd3dbc
                                                                                                                                                    • Instruction ID: 6ac06db7064689cfa10f0c2f0dd4eabc8882a44b075e67acfeab97a78243923b
                                                                                                                                                    • Opcode Fuzzy Hash: 78afb087ad657bc8f72155c5b21ed4845193bdc33b44fc35983d704598fd3dbc
                                                                                                                                                    • Instruction Fuzzy Hash: E59155B450D7919BD321CF59D4A062BFFE0AF96244F58898CE4D89B362C3758849CB53
                                                                                                                                                    Function 030D5250 Relevance: 13.9, Strings: 11, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: i$j$l$n$q$t$w$x$z$|$~
                                                                                                                                                    • API String ID: 0-2345001145
                                                                                                                                                    • Opcode ID: 2b47f26a2983e468f100b65d1365ba1c90a064fa53b67d192dfb8335b5d5bf85
                                                                                                                                                    • Instruction ID: 604ed8e86d242e37a83630628cc27b5aab7c294eefc15b3d4a6dfc7ea0846e49
                                                                                                                                                    • Opcode Fuzzy Hash: 2b47f26a2983e468f100b65d1365ba1c90a064fa53b67d192dfb8335b5d5bf85
                                                                                                                                                    • Instruction Fuzzy Hash: BDB128B041A7C29FD771DF16D58C78FBBE4BBC6308F54890D96880AA51C7BA1249CF86
                                                                                                                                                    Function 030A1000 Relevance: 10.6, Strings: 7, Instructions: 1857COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
                                                                                                                                                    • API String ID: 0-2517803157
                                                                                                                                                    • Opcode ID: e034609d9845262b78ec43b426b955336525680e04d698b9a26411e0d746390c
                                                                                                                                                    • Instruction ID: b15818d1429433fd6c79de4d6731acbcb06eb777f7193ffcb097a79354897a7e
                                                                                                                                                    • Opcode Fuzzy Hash: e034609d9845262b78ec43b426b955336525680e04d698b9a26411e0d746390c
                                                                                                                                                    • Instruction Fuzzy Hash: C1D2D475A0AB518FD718CE6CD49076AFBE2AFC9314F088A6DE495CB381D334D945CB82
                                                                                                                                                    Function 030BDBE9 Relevance: 9.8, Strings: 7, Instructions: 1086COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b$4`[b$ABA@$SQHP$ZDRW$kko|$SRU
                                                                                                                                                    • API String ID: 0-377114149
                                                                                                                                                    • Opcode ID: 636682359bdd464642dc70617aad7ef2e99fd5eb09e8a41cb5229d949cf9d940
                                                                                                                                                    • Instruction ID: fe2b283b0b9f0b123d67cad1d185477189d9e8828e4f2d0fcd6ce2dc4fd6223f
                                                                                                                                                    • Opcode Fuzzy Hash: 636682359bdd464642dc70617aad7ef2e99fd5eb09e8a41cb5229d949cf9d940
                                                                                                                                                    • Instruction Fuzzy Hash: DA82AAB4602B019FD760DF28D880BA6B7F1FF4A304F18895CE49A8BB52D735E855CB91
                                                                                                                                                    Function 030D9FE0 Relevance: 9.1, APIs: 6, Instructions: 104clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2832541153-0
                                                                                                                                                    • Opcode ID: e1f90176ccbe2eacfac09deedd302bb21c146f5ff79a0766fe6eed8e05a5e54e
                                                                                                                                                    • Instruction ID: e506f62068f133612fa765c800654047ba131c43fa79c27e59d3d87899a6efa6
                                                                                                                                                    • Opcode Fuzzy Hash: e1f90176ccbe2eacfac09deedd302bb21c146f5ff79a0766fe6eed8e05a5e54e
                                                                                                                                                    • Instruction Fuzzy Hash: 53413E7560E7828ED311EF7C944836EBFE0AB96220F044E5DE4E5862C2D778C549CBA3
                                                                                                                                                    Function 030C0330 Relevance: 8.2, Strings: 6, Instructions: 717COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ?$,-$P7c5$wr$x+f)$)/
                                                                                                                                                    • API String ID: 0-4282574736
                                                                                                                                                    • Opcode ID: 4ddc09e590725ec318197006857006df722e59de63d5645c7ab308851b526aa4
                                                                                                                                                    • Instruction ID: 238a75ef523c54b8686cccc4248ea444edd9a926287dbfbdaa4d1a88b076fb19
                                                                                                                                                    • Opcode Fuzzy Hash: 4ddc09e590725ec318197006857006df722e59de63d5645c7ab308851b526aa4
                                                                                                                                                    • Instruction Fuzzy Hash: 8C2244B8519380DBD710EF18D880A6EBBF4EF95344F488D5CE4C88B261D73AD958CB96
                                                                                                                                                    Function 030AF6F0 Relevance: 7.9, Strings: 6, Instructions: 393COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ()$C\QO$HTPR$J<BJ$N[$^]
                                                                                                                                                    • API String ID: 0-3016388747
                                                                                                                                                    • Opcode ID: 7fe38a31a5e1dd81bd3c0ed6b5f698bf4b131b8625fd553e153bdf452db6deb2
                                                                                                                                                    • Instruction ID: b248b3dee1584d6a0eb4126c83cac5913d78603cfb594a6b2c585a41cddbbb14
                                                                                                                                                    • Opcode Fuzzy Hash: 7fe38a31a5e1dd81bd3c0ed6b5f698bf4b131b8625fd553e153bdf452db6deb2
                                                                                                                                                    • Instruction Fuzzy Hash: DED1887450E3829FC311DF58E8A4A6EFBF5AB92A44F18491CE4D59B241C336D909CBA3
                                                                                                                                                    Function 030ADDA0 Relevance: 7.8, Strings: 6, Instructions: 336COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: [hct$sdlg${hmn$WQ$[U$_Y
                                                                                                                                                    • API String ID: 0-899752018
                                                                                                                                                    • Opcode ID: c51afe02fe29753fcc157aca7e4206bffd7ad220f9b1f0067e4caef2578ca090
                                                                                                                                                    • Instruction ID: 6b444f5496478c232843637563be11be041dc64f4fdfa9c314b85c9c80d6a55c
                                                                                                                                                    • Opcode Fuzzy Hash: c51afe02fe29753fcc157aca7e4206bffd7ad220f9b1f0067e4caef2578ca090
                                                                                                                                                    • Instruction Fuzzy Hash: 7EC146B4509340ABD310DF58E694A6FFBF5AB95A44F148C1CF1C98B252D335D908DBA3
                                                                                                                                                    Function 030C83FA Relevance: 7.6, Strings: 6, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: * ,$$+3AC$7+9D$WS-#$i2]/$z{
                                                                                                                                                    • API String ID: 0-3511077612
                                                                                                                                                    • Opcode ID: 2d69974bf85e33578437c32007d0ad16cbd8431b4bf96feeb93d0c5608173b4e
                                                                                                                                                    • Instruction ID: 07ce230c95c54248be60f26d0a16a748005a3a27c7f255e74b7b7fccbca3d3c2
                                                                                                                                                    • Opcode Fuzzy Hash: 2d69974bf85e33578437c32007d0ad16cbd8431b4bf96feeb93d0c5608173b4e
                                                                                                                                                    • Instruction Fuzzy Hash: B32102B051E3C48FD351DF29849062EFFE1AB92248F645E5CE1E14B261D7758441CF1B
                                                                                                                                                    Function 030A12C0 Relevance: 7.2, Strings: 5, Instructions: 966COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0$0$0$@$i
                                                                                                                                                    • API String ID: 0-3124195287
                                                                                                                                                    • Opcode ID: b6329eb1f9d7bb343bcd96c7bb661862d6a95deaf61661b0fa5517b7624e0328
                                                                                                                                                    • Instruction ID: 1eb38b8b71fb63ff63a981d867bc87a71019c3fc3a8248dd9489086e269d4e1a
                                                                                                                                                    • Opcode Fuzzy Hash: b6329eb1f9d7bb343bcd96c7bb661862d6a95deaf61661b0fa5517b7624e0328
                                                                                                                                                    • Instruction Fuzzy Hash: EA72DE71A0E7418FC318CE6CD49076EBBE5AB89354F188E6CE8D99B391D334D945CB82
                                                                                                                                                    Function 030CC510 Relevance: 6.7, Strings: 5, Instructions: 436COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b$4`[b$MO$UW$]_
                                                                                                                                                    • API String ID: 0-63703203
                                                                                                                                                    • Opcode ID: 5ab93967a414b4aea6710f14ea77aab89906d16296f557fa5a06f8e68c8d99e2
                                                                                                                                                    • Instruction ID: acbffc77fc3fe80cc6b0816c123c43478c645e83b3adc5d1ac590a0c8f00fd7d
                                                                                                                                                    • Opcode Fuzzy Hash: 5ab93967a414b4aea6710f14ea77aab89906d16296f557fa5a06f8e68c8d99e2
                                                                                                                                                    • Instruction Fuzzy Hash: 8BF1B9B551A380EFE760DF65E880B6FBBE5FB85304F48892CE9988B251D735D402CB52
                                                                                                                                                    Function 030C82F2 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: * ,$$+3AC$7+9D$WS-#$z{
                                                                                                                                                    • API String ID: 0-1796654538
                                                                                                                                                    • Opcode ID: 506ecf943b18e8963412d3ffd877284a77b0642159753f17ee93be610fedb067
                                                                                                                                                    • Instruction ID: 70aac47e0c3ce664b226995c317eb41ca3cd7b96acd33541cc5d7200536bf09f
                                                                                                                                                    • Opcode Fuzzy Hash: 506ecf943b18e8963412d3ffd877284a77b0642159753f17ee93be610fedb067
                                                                                                                                                    • Instruction Fuzzy Hash: 0321F0B091E3C48FD352DF29949062EFBE1AB92284F646E5CE1E14B262E7758441CF1A
                                                                                                                                                    Function 030A8710 Relevance: 4.1, Strings: 3, Instructions: 392COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: )$)$IEND
                                                                                                                                                    • API String ID: 0-588110143
                                                                                                                                                    • Opcode ID: 3b8d187cde5b78889547e3ef63768025a53ea718c80fa371d84fb4f3924bc114
                                                                                                                                                    • Instruction ID: 849ec578820ee73c7e9dbabcf482569209aa312c8e2a4b41e1d22279f536a29d
                                                                                                                                                    • Opcode Fuzzy Hash: 3b8d187cde5b78889547e3ef63768025a53ea718c80fa371d84fb4f3924bc114
                                                                                                                                                    • Instruction Fuzzy Hash: A7E1E1B1A09B419FE310CF68E84475BFBE0BB84304F18892DE5959B381D775E915CBC2
                                                                                                                                                    Function 030D1690 Relevance: 3.0, Strings: 2, Instructions: 517COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: "$"
                                                                                                                                                    • API String ID: 0-3758156766
                                                                                                                                                    • Opcode ID: 947b5516e93f6caac63249b3cad474251d1ef649c042f50bdbf8d3676e978699
                                                                                                                                                    • Instruction ID: 66425d3e854763ba468bcccdb0bc375008b72223988335e59e095607a1f977c0
                                                                                                                                                    • Opcode Fuzzy Hash: 947b5516e93f6caac63249b3cad474251d1ef649c042f50bdbf8d3676e978699
                                                                                                                                                    • Instruction Fuzzy Hash: 8FF14876A093154FD758CE68C49076BF7EAAFC5354F0C8A6DE8968B381DB34D80887C2
                                                                                                                                                    Function 030C1310 Relevance: 3.0, Strings: 2, Instructions: 497COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: CJu{$]IBZ
                                                                                                                                                    • API String ID: 0-1566739038
                                                                                                                                                    • Opcode ID: 4bd563cfe8fcbd5b68f2e0e5373883fafbadda7e954b592dbf1a54cb919f8062
                                                                                                                                                    • Instruction ID: 992605372a718e228e6a577b96dd0b699c29873455ac0b774fe2501b4457cbf6
                                                                                                                                                    • Opcode Fuzzy Hash: 4bd563cfe8fcbd5b68f2e0e5373883fafbadda7e954b592dbf1a54cb919f8062
                                                                                                                                                    • Instruction Fuzzy Hash: F6028AB591D380ABD315EB59D840A6FFBE8AF85214F084D1CF5C89B252D335E914CBA3
                                                                                                                                                    Function 030B0B30 Relevance: 2.9, Strings: 2, Instructions: 415COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: >>$n%F'
                                                                                                                                                    • API String ID: 0-1642885680
                                                                                                                                                    • Opcode ID: e8e327761c3f0ccb6077380ec83278924386f9db28aa8c794521ee8eba12b599
                                                                                                                                                    • Instruction ID: a11e26a1b66e0208dc2852808f02150da2786ca6dee00954193ab27841d6aadd
                                                                                                                                                    • Opcode Fuzzy Hash: e8e327761c3f0ccb6077380ec83278924386f9db28aa8c794521ee8eba12b599
                                                                                                                                                    • Instruction Fuzzy Hash: 00F143B4109380EFD364AF55D894B9BBBF4EF86780F54881CE5D98B251C3799804CF52
                                                                                                                                                    Function 030A3790 Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: Inf$NaN
                                                                                                                                                    • API String ID: 0-3500518849
                                                                                                                                                    • Opcode ID: 4e4278cc994ef934d220e7622467bb363173f7b5dcbdc4402ff18a32b48ec68d
                                                                                                                                                    • Instruction ID: a10222873b03631892b84112b61e9fe432058e8428d7ab8db4db55d704ccd7ba
                                                                                                                                                    • Opcode Fuzzy Hash: 4e4278cc994ef934d220e7622467bb363173f7b5dcbdc4402ff18a32b48ec68d
                                                                                                                                                    • Instruction Fuzzy Hash: A6D1E176A197129BC704CE6CD88065FFBE5EBC8750F148A6DF8999B390E635DC048B82
                                                                                                                                                    Function 030B2E74 Relevance: 2.9, Strings: 2, Instructions: 379COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b$D
                                                                                                                                                    • API String ID: 0-1612538007
                                                                                                                                                    • Opcode ID: 82a0b3f9a87cbb8a8a62afe671d92c03852c47c6eb369ea80747167ec763d087
                                                                                                                                                    • Instruction ID: 6210707f479c794de7b71bbf93d2df157b96c6320fc613e5fad9558642167b6d
                                                                                                                                                    • Opcode Fuzzy Hash: 82a0b3f9a87cbb8a8a62afe671d92c03852c47c6eb369ea80747167ec763d087
                                                                                                                                                    • Instruction Fuzzy Hash: F3E149B4819740AFD360EF28D94679BBFF4FB82705F50491DE4D99B280E731A419CBA2
                                                                                                                                                    Function 030CCDF0 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                    • String ID: Q^]R$h
                                                                                                                                                    • API String ID: 2994545307-2116566295
                                                                                                                                                    • Opcode ID: 23103ce3a476692f350ce30be9918b309dca1c834cb2614b057562111d35e7f3
                                                                                                                                                    • Instruction ID: 2f8db0e272a7d0f242aaf05bd7f7de2aafd558b04d10da55509969cad6279c8c
                                                                                                                                                    • Opcode Fuzzy Hash: 23103ce3a476692f350ce30be9918b309dca1c834cb2614b057562111d35e7f3
                                                                                                                                                    • Instruction Fuzzy Hash: 8EB1ED70A1A3819FE714DF18D880B2FF7E5EF96304F18482CE9898B251E335D846CB92
                                                                                                                                                    Function 030E5DE0 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: f
                                                                                                                                                    • API String ID: 0-1993550816
                                                                                                                                                    • Opcode ID: 0849b6df1ff1e08e0a5d44b44d9f825bf88ac5d7c49306cb709139597f50b9ef
                                                                                                                                                    • Instruction ID: a1b7aad7746f01d3cb4d7c7076f74276ac6fb7f8f347a1924bf012ae3cd0a286
                                                                                                                                                    • Opcode Fuzzy Hash: 0849b6df1ff1e08e0a5d44b44d9f825bf88ac5d7c49306cb709139597f50b9ef
                                                                                                                                                    • Instruction Fuzzy Hash: CD22AC7160A3419FC715CF18D890B2EFBE5FB99318F188A2CE4A58B391D775E804CB52
                                                                                                                                                    Function 030A5310 Relevance: 1.8, Strings: 1, Instructions: 570COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: %1.17g
                                                                                                                                                    • API String ID: 0-1551345525
                                                                                                                                                    • Opcode ID: f75094fda19315a8c5dc9529919bb23068a75df511740fd8305f0ac201a0b7a3
                                                                                                                                                    • Instruction ID: 3c15422a590671dcfe59b535a589d238dfe6f2b3928330e9b186be9906f3b306
                                                                                                                                                    • Opcode Fuzzy Hash: f75094fda19315a8c5dc9529919bb23068a75df511740fd8305f0ac201a0b7a3
                                                                                                                                                    • Instruction Fuzzy Hash: EF12D4B2A0AB428BE715CE9DFC4032AF7E2BFA2214F1D856DD8D94B241E771D809C741
                                                                                                                                                    Function 030C6B40 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoCreateInstance.OLE32(030EFB80,00000000,00000001,030EFB70), ref: 030C6B69
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                                    • Opcode ID: f9e63c273666e5d5f9c12f2bff3fcef9a738ccf766684ecb59d187cadd55e3d3
                                                                                                                                                    • Instruction ID: d8414df753bf3d0424ca456948dabeea8e53b2ca1fcc30e8fd873d2fb096457f
                                                                                                                                                    • Opcode Fuzzy Hash: f9e63c273666e5d5f9c12f2bff3fcef9a738ccf766684ecb59d187cadd55e3d3
                                                                                                                                                    • Instruction Fuzzy Hash: 2551BFB16153489BDB20DB64CC96BBB73B8EF85354F08495CE9458F291E376E844C722
                                                                                                                                                    Function 030C6DA0 Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b
                                                                                                                                                    • API String ID: 0-3962175265
                                                                                                                                                    • Opcode ID: 4d50d2b11e86d278eae24d35ee81bef8e9f159a16c91bb71a2897c44c637506f
                                                                                                                                                    • Instruction ID: 7bcdc0cbc203e2348ed95ea841d6f72435d1bc624c66a07a6f8e51b5aafbd77e
                                                                                                                                                    • Opcode Fuzzy Hash: 4d50d2b11e86d278eae24d35ee81bef8e9f159a16c91bb71a2897c44c637506f
                                                                                                                                                    • Instruction Fuzzy Hash: 8AB1AEB551A380AFD721EB58C841A6FF7F5EF86A54F18881CF8C58B251E336D900DB62
                                                                                                                                                    Function 030ACBA0 Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: -
                                                                                                                                                    • API String ID: 0-2547889144
                                                                                                                                                    • Opcode ID: 953224c5c0d11d8301801206d0dcc7a462f4cc2efea05db4f6a19f2e6fad7952
                                                                                                                                                    • Instruction ID: 598ac7e9841ac61872a6e94735ba669523cc791afadc8221ac944eccaa530259
                                                                                                                                                    • Opcode Fuzzy Hash: 953224c5c0d11d8301801206d0dcc7a462f4cc2efea05db4f6a19f2e6fad7952
                                                                                                                                                    • Instruction Fuzzy Hash: D9D13F31A09B454BD718CE6CE89026EFBD2EFC1210F1D8A2DE4E5873D5D73899058B81
                                                                                                                                                    Function 030EA3C0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: P
                                                                                                                                                    • API String ID: 0-3110715001
                                                                                                                                                    • Opcode ID: afbc22232cbe5ad3348fb87c23bfe7d2a4d921667a021e60ce65fc4eab632b88
                                                                                                                                                    • Instruction ID: 871624a2bee79d9e0ccb28aca1d4da9bf7236c236c14856144cab70443f80aae
                                                                                                                                                    • Opcode Fuzzy Hash: afbc22232cbe5ad3348fb87c23bfe7d2a4d921667a021e60ce65fc4eab632b88
                                                                                                                                                    • Instruction Fuzzy Hash: 33D1E472B093654FC726CE18D49072FB6E1EBC9754F1A8A2CE8A5AB390C771DC4687C1
                                                                                                                                                    Function 030EAA30 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ,{zy
                                                                                                                                                    • API String ID: 0-1863127247
                                                                                                                                                    • Opcode ID: 29f497b5b27a720e917565615afcecbb088720202341633625a4adc79e11f21a
                                                                                                                                                    • Instruction ID: 6be912330ce9c4b1de54405d6d756fef5151dcd09e3005250dec0ae0b18ab4e5
                                                                                                                                                    • Opcode Fuzzy Hash: 29f497b5b27a720e917565615afcecbb088720202341633625a4adc79e11f21a
                                                                                                                                                    • Instruction Fuzzy Hash: 78C11E75A1A226CFCB04EF68E8A0A6EB3B1FF89341F0948ADE54597745C339E850CB41
                                                                                                                                                    Function 030C933C Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: e
                                                                                                                                                    • API String ID: 0-4024072794
                                                                                                                                                    • Opcode ID: 11ab3331a50388f65777c948b75dda808e111886d733d1e514aaa69543d47540
                                                                                                                                                    • Instruction ID: a85053753c6fb60e0613db694242bbe9671889233ac17227654f738b53805a4b
                                                                                                                                                    • Opcode Fuzzy Hash: 11ab3331a50388f65777c948b75dda808e111886d733d1e514aaa69543d47540
                                                                                                                                                    • Instruction Fuzzy Hash: 72B1B73691A382CBC710DF28C08056EF7F2FF99791F09895CE4C59B660E734AA55CB92
                                                                                                                                                    Function 030EB240 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: WU
                                                                                                                                                    • API String ID: 0-2776803752
                                                                                                                                                    • Opcode ID: 8ddc25c464d0abce1f582163657bf8c2b5d6e9c2a286c0e5b17dcd4bf5c60bd5
                                                                                                                                                    • Instruction ID: 06468f607ec5a3ecce591400791c19e29ebb296caeb26d52c669d8921be1d850
                                                                                                                                                    • Opcode Fuzzy Hash: 8ddc25c464d0abce1f582163657bf8c2b5d6e9c2a286c0e5b17dcd4bf5c60bd5
                                                                                                                                                    • Instruction Fuzzy Hash: 5CB1DD35A09255CFCB04EF6CD89066EBBF1FF8A700F08886DE99597345D3399914CB92
                                                                                                                                                    Function 030AA7F0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ,
                                                                                                                                                    • API String ID: 0-3772416878
                                                                                                                                                    • Opcode ID: 50d1473aa71621d783efc701adbfe01e906913bebdf5a8465364e59ca3d344b1
                                                                                                                                                    • Instruction ID: a686670e4e48e50161bdbd83a34524821248b6c1d6411c3e3a03cf1b27145001
                                                                                                                                                    • Opcode Fuzzy Hash: 50d1473aa71621d783efc701adbfe01e906913bebdf5a8465364e59ca3d344b1
                                                                                                                                                    • Instruction Fuzzy Hash: 13B159712097819FD325CF5CD88061BFBE0AFA9604F484E2DE5D997382D631E918CBA7
                                                                                                                                                    Function 030CE8A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b
                                                                                                                                                    • API String ID: 0-3962175265
                                                                                                                                                    • Opcode ID: edaac9395bdb17ba36b7e94ca3038794bc8271b9fe32dbd8a26c2fa2ae9a77f5
                                                                                                                                                    • Instruction ID: ec16860e0a418fa797e7997788797085919af541a72b6788be9441b6b26ae17b
                                                                                                                                                    • Opcode Fuzzy Hash: edaac9395bdb17ba36b7e94ca3038794bc8271b9fe32dbd8a26c2fa2ae9a77f5
                                                                                                                                                    • Instruction Fuzzy Hash: 44711B72A29B518FD758DF2CD85026EF6D2EBC9201F4D4A3CD99A9B385DB34A804C781
                                                                                                                                                    Function 030D9D70 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 030D9E11
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
                                                                                                                                                    • API String ID: 0-2272463933
                                                                                                                                                    • Opcode ID: f6749082da7b6b64bcd230d158fc620cfb25096b7cd3c154c81357c827a25eef
                                                                                                                                                    • Instruction ID: 79d23e7a784d44229d137620e00e2791478a488de327c84396d87878ace92967
                                                                                                                                                    • Opcode Fuzzy Hash: f6749082da7b6b64bcd230d158fc620cfb25096b7cd3c154c81357c827a25eef
                                                                                                                                                    • Instruction Fuzzy Hash: 8D61353374EB9547D320A83C5C413AABAC34FD6230F2D8769E4F48B3E9E76988158380
                                                                                                                                                    Function 030AE270 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 030AE391
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                                                                                    • API String ID: 0-442858466
                                                                                                                                                    • Opcode ID: fd4779f49449660c1a8190004d1496db92b46d03ec377a633768641fb7502e6a
                                                                                                                                                    • Instruction ID: 6843f1ca688944fa9f27f7a8fca6ba7668f313f0fb9c558661150faa4b24ec83
                                                                                                                                                    • Opcode Fuzzy Hash: fd4779f49449660c1a8190004d1496db92b46d03ec377a633768641fb7502e6a
                                                                                                                                                    • Instruction Fuzzy Hash: F6514B33B0BEA18BC714C9BCEC452BD6B5A1BD2230B1E4766EDB19B7D5C56A8C01C391
                                                                                                                                                    Function 030E9960 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b
                                                                                                                                                    • API String ID: 0-3962175265
                                                                                                                                                    • Opcode ID: f886cdbefecbe0e19fa350d2c2192c85d71d90c88288daf18ac87e6eac809c18
                                                                                                                                                    • Instruction ID: bc9206afae1d46092bf5e31c7f12457f0da3ccc425f0d0c523392c61593ff1b4
                                                                                                                                                    • Opcode Fuzzy Hash: f886cdbefecbe0e19fa350d2c2192c85d71d90c88288daf18ac87e6eac809c18
                                                                                                                                                    • Instruction Fuzzy Hash: 3851E43570A2149FC715DA188890B3EF7E6EFC9714F18862CE8E997291D735A8018792
                                                                                                                                                    Function 030EBF90 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 2994545307-2766056989
                                                                                                                                                    • Opcode ID: 63231710684a9e577afdb29ba56f68606c6c035a9ffcc46126800950e5fd2285
                                                                                                                                                    • Instruction ID: b3919e9de20e7c59a57cf751d9cce0a462d415a531e97c10f9ae01385c6bcb64
                                                                                                                                                    • Opcode Fuzzy Hash: 63231710684a9e577afdb29ba56f68606c6c035a9ffcc46126800950e5fd2285
                                                                                                                                                    • Instruction Fuzzy Hash: CF31497460A3059FD314DF18D880A2AFBF9FFC6715F18892CE5C897251D336D9448B66
                                                                                                                                                    Function 030CEB14 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 4`[b
                                                                                                                                                    • API String ID: 0-3962175265
                                                                                                                                                    • Opcode ID: 9572c7f18e5aac7af0f0379c349ed040f34ff78abc9615999b2a74fdf8c33ff0
                                                                                                                                                    • Instruction ID: 0b16a4686a7280c7a7dc5f527c3b6bfab6312e526eaa5addd391fe832bd6001e
                                                                                                                                                    • Opcode Fuzzy Hash: 9572c7f18e5aac7af0f0379c349ed040f34ff78abc9615999b2a74fdf8c33ff0
                                                                                                                                                    • Instruction Fuzzy Hash: 0811797591A3828FD710EF04D480A6EBBF5EB95746F194C5CE1C1AB212C731E954CB92
                                                                                                                                                    Function 030ABE30 Relevance: .9, Instructions: 853COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e3917af40c5768ca871dd8653f5db67102efc558752539eab415c8f91ffba602
                                                                                                                                                    • Instruction ID: 74057c32e783436d9ef88b99194905087fe837ee4dd764386e801ba416a37002
                                                                                                                                                    • Opcode Fuzzy Hash: e3917af40c5768ca871dd8653f5db67102efc558752539eab415c8f91ffba602
                                                                                                                                                    • Instruction Fuzzy Hash: 4352C032609B118BD325DF6CE48027AB3E2FFC4314F1A896DD9D6D7285E735A851CB82
                                                                                                                                                    Function 030AB320 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f417334a2f94f13b8dcd37c8bf7beddc493ae47d25fec17ec62d33892d8a981
                                                                                                                                                    • Instruction ID: ee49354baa9a112c73537652f7973e895a78c091dc6ed951d8a3fdbc414355ce
                                                                                                                                                    • Opcode Fuzzy Hash: 3f417334a2f94f13b8dcd37c8bf7beddc493ae47d25fec17ec62d33892d8a981
                                                                                                                                                    • Instruction Fuzzy Hash: F252D270909F849FE735CB7CE0847ABBBE5EB81314F18496DC5E60AB82C3B9A485C751
                                                                                                                                                    Function 030A7370 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 488b7a54ef81b8b21b97ba246fbb686a598b78fcf7d517b52d1e30b3f099c7d5
                                                                                                                                                    • Instruction ID: 9aae8ff08944217626dcdc077b2e47a6efb0dda3d4dc411e705ed1be4df72928
                                                                                                                                                    • Opcode Fuzzy Hash: 488b7a54ef81b8b21b97ba246fbb686a598b78fcf7d517b52d1e30b3f099c7d5
                                                                                                                                                    • Instruction Fuzzy Hash: D252F0316097458FCB15CFACD0906AAFBE1BF88704F19CA6DE8995B352D334D889CB81
                                                                                                                                                    Function 030A7D70 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 89d1516ebfd3af02d223966260416403de55e7dac5073f907c531a716e26d9e0
                                                                                                                                                    • Instruction ID: 53d685343dcfa54f386fa056f28f0dd07c2d9c9749964c3c5b09c855e74947da
                                                                                                                                                    • Opcode Fuzzy Hash: 89d1516ebfd3af02d223966260416403de55e7dac5073f907c531a716e26d9e0
                                                                                                                                                    • Instruction Fuzzy Hash: C0321270916F108FC368CEADD59056ABBF2BB85610B548A2ED6A787E90D336F844CB10
                                                                                                                                                    Function 030EAF50 Relevance: .5, Instructions: 549COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 489b6a7c4a698563a4d38b343ee03189582f4bc4d4cde0b0396ba97af2c3312f
                                                                                                                                                    • Instruction ID: 108ab3a9b2d238a3cdc41a7e818eed88923b82d50245b6bd2be4b927c9c7efb8
                                                                                                                                                    • Opcode Fuzzy Hash: 489b6a7c4a698563a4d38b343ee03189582f4bc4d4cde0b0396ba97af2c3312f
                                                                                                                                                    • Instruction Fuzzy Hash: A102DB35609245CFC708EF6CE89066EBBE2FF8A710F09886DE99587345D735E914CB82
                                                                                                                                                    Function 030CEF22 Relevance: .5, Instructions: 509COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 642d0b8e24df6723edba642385fdadae82b410259cfa3c57ff8b2a2f105a6e35
                                                                                                                                                    • Instruction ID: 87f8cb8969bd4914f64d52a2ab08dc5c492ca1668c49aa696c27af17b78406b2
                                                                                                                                                    • Opcode Fuzzy Hash: 642d0b8e24df6723edba642385fdadae82b410259cfa3c57ff8b2a2f105a6e35
                                                                                                                                                    • Instruction Fuzzy Hash: 83128AB4D012499FDB11DFA8C580AAEBBB2EF06300F64455CE855BF386D7349A05CBE6
                                                                                                                                                    Function 030CF7FC Relevance: .5, Instructions: 455COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bf9efbc3ffb710e1dd7127e337355ec01f83b543b284f4e0d44f3b48c6746610
                                                                                                                                                    • Instruction ID: 07b887e9113dd12a7aa34b14c40a04136ba6b40496abbb75b61019085e842ce2
                                                                                                                                                    • Opcode Fuzzy Hash: bf9efbc3ffb710e1dd7127e337355ec01f83b543b284f4e0d44f3b48c6746610
                                                                                                                                                    • Instruction Fuzzy Hash: FCE16AB8912356CBDB20DF94D8906AEB7F1FF46310F28044CD885BB755E734AA41CB66
                                                                                                                                                    Function 030E8FA9 Relevance: .4, Instructions: 425COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c249229f0cab64740f63c07f7862d20c7d005b74b05f9a6818fca933c50db2fe
                                                                                                                                                    • Instruction ID: dee6c90ca7f4f696e05af026b7993db562e4b1be57177370cbcae305436de7ac
                                                                                                                                                    • Opcode Fuzzy Hash: c249229f0cab64740f63c07f7862d20c7d005b74b05f9a6818fca933c50db2fe
                                                                                                                                                    • Instruction Fuzzy Hash: D7D1E43660E256CFC710DF38D49012AB7E1EB89314F198AADE895CB786D739D941CB81
                                                                                                                                                    Function 030AA330 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7054175a8a3b90594dafe7831a2656b0097cd78ec0a7691fa266c8c5c38cfb5b
                                                                                                                                                    • Instruction ID: 29f5567131dc880f9738622c0f3146dbca8c610a9ec43c124a02bcbfe8276eef
                                                                                                                                                    • Opcode Fuzzy Hash: 7054175a8a3b90594dafe7831a2656b0097cd78ec0a7691fa266c8c5c38cfb5b
                                                                                                                                                    • Instruction Fuzzy Hash: C0E189756097418FD320CF69D880A6BFBF1EF98200F48882DE4D587791E775E948CBA6
                                                                                                                                                    Function 030E9EE0 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9cd17ccc637974f1030c9e5a66aa50eafe4b0049d50bbfa7c1869fe4b16cdfa7
                                                                                                                                                    • Instruction ID: 63d78fc3bff95b2b0b23f20f22aa3968537c563bbc4bf5f0fecf4d059fb16537
                                                                                                                                                    • Opcode Fuzzy Hash: 9cd17ccc637974f1030c9e5a66aa50eafe4b0049d50bbfa7c1869fe4b16cdfa7
                                                                                                                                                    • Instruction Fuzzy Hash: 12A105B5B093408FD314DB689C80B6BF7E9EBC9314F09492DE9959B342E636D8048752
                                                                                                                                                    Function 030BD816 Relevance: .3, Instructions: 335COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b0601ecc95492c98a09264e1375f88b4e938e69f7caad3378b614369184a9df8
                                                                                                                                                    • Instruction ID: 29d24215b86ae7643305f89ad63c7278b974ccb8e3bf211466625b0e5c1ad7d3
                                                                                                                                                    • Opcode Fuzzy Hash: b0601ecc95492c98a09264e1375f88b4e938e69f7caad3378b614369184a9df8
                                                                                                                                                    • Instruction Fuzzy Hash: 22B15EB4901B01AFD760DF29C986B63BBF4FF06710F048A1DE4AA8B795D334A454CB92
                                                                                                                                                    Function 030B59E8 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6d48dc34ecaa4ed663646d8c301ba7275b9d6fa327a6290ec13563ecd32bd155
                                                                                                                                                    • Instruction ID: 6d0ad186bc0cd8f5b5c3401711d20a2030e5711565f579dd88f3aa58a35cea61
                                                                                                                                                    • Opcode Fuzzy Hash: 6d48dc34ecaa4ed663646d8c301ba7275b9d6fa327a6290ec13563ecd32bd155
                                                                                                                                                    • Instruction Fuzzy Hash: 9EB16B74901B019FD726CF28C880BA7B7FAEF46710F188A9DD49A87A41E774F844CB95
                                                                                                                                                    Function 030CDF23 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7dddd2dea6ca9d7bc8c53fab6dcb80b83554485d9b26f64b3e77d77533a56eaf
                                                                                                                                                    • Instruction ID: b1f50607e67fe490553ce1a6823c2681cf4a5436ac315c695ec72d02ae9c9561
                                                                                                                                                    • Opcode Fuzzy Hash: 7dddd2dea6ca9d7bc8c53fab6dcb80b83554485d9b26f64b3e77d77533a56eaf
                                                                                                                                                    • Instruction Fuzzy Hash: FBA1F331A19381CFD320EF29D88076EB7E2FF8A710F194A6CE99497282D774E915CB41
                                                                                                                                                    Function 030AAE90 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 8ba27ebef624d562c81b1053b51e136de56c64f3138dbf4a074eddc60f83e8c7
                                                                                                                                                    • Instruction ID: cdd75ba63c3dd04be4258efd9eaba00d75e7f4b1a1c6cbbef95e11bb7cf19651
                                                                                                                                                    • Opcode Fuzzy Hash: 8ba27ebef624d562c81b1053b51e136de56c64f3138dbf4a074eddc60f83e8c7
                                                                                                                                                    • Instruction Fuzzy Hash: D3C14EB2A58B418FC370CF68DC86BABB7E1BF85318F08492DD1D9C6242E778A155CB45
                                                                                                                                                    Function 030A91EF Relevance: .3, Instructions: 277COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 4bc4eaaaea9c658c6f28f109bd83bb0098bc47c9a44745537c971f4ad22a610a
                                                                                                                                                    • Instruction ID: 0b4c36725e4a250c712ed39f29428649cf98f45a8fd7bddc6d5e6bb826ae1c65
                                                                                                                                                    • Opcode Fuzzy Hash: 4bc4eaaaea9c658c6f28f109bd83bb0098bc47c9a44745537c971f4ad22a610a
                                                                                                                                                    • Instruction Fuzzy Hash: 56B18A79606B01CFD758CF29D48079AB7F2FB88315F098A6CD84687A84D379E985CF44
                                                                                                                                                    Function 030CE0F2 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 39bf4f8b0181822f3fdd72c068dcec5a26335a07cc70b3beaf59cc1baac2f340
                                                                                                                                                    • Instruction ID: e90c1b8619e015cc57a66942d491b975aa75555ec78a858c8b13b5d27d5a1479
                                                                                                                                                    • Opcode Fuzzy Hash: 39bf4f8b0181822f3fdd72c068dcec5a26335a07cc70b3beaf59cc1baac2f340
                                                                                                                                                    • Instruction Fuzzy Hash: D881E330919381CFD720DF29D88076EB7E1FF86711F198A6CE9A4572D2D774A914CB82
                                                                                                                                                    Function 030B567D Relevance: .3, Instructions: 265COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e880909cd29b9fb18635d2a3e41d96812a4c703c3cf7590e39f6411a4a3041ab
                                                                                                                                                    • Instruction ID: 30eef9823f38b42c33df031730956753bc59af42078c13c863950229299cde64
                                                                                                                                                    • Opcode Fuzzy Hash: e880909cd29b9fb18635d2a3e41d96812a4c703c3cf7590e39f6411a4a3041ab
                                                                                                                                                    • Instruction Fuzzy Hash: 4FB12274902B409BD321CF28D980BA7FBF1EF46704F48895CD8AA9BA51D375F814CB64
                                                                                                                                                    Function 030EC370 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 450a6d10dce0094331cd237dcf909e22f3908c85fb0ce3961fb9a381413ac19c
                                                                                                                                                    • Instruction ID: 5cadbd06d0a40bf0223bba19aefa57a2dcc54f47f4e9ff44352c06cd8942e868
                                                                                                                                                    • Opcode Fuzzy Hash: 450a6d10dce0094331cd237dcf909e22f3908c85fb0ce3961fb9a381413ac19c
                                                                                                                                                    • Instruction Fuzzy Hash: 3481AE7530A3019FE724DF28C880A2BF7E5EF85754F09892CE596CB251E732E850CB52
                                                                                                                                                    Function 030CE0B0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: da8a8a4d4865cef5744913dea55e66cc5f26c6f0c67a1008cfefddb634fc9e85
                                                                                                                                                    • Instruction ID: 4a998f59594ecd6e7b6b3e2eaa2019403c9ae885676d8460ab8ad90d80bc29a2
                                                                                                                                                    • Opcode Fuzzy Hash: da8a8a4d4865cef5744913dea55e66cc5f26c6f0c67a1008cfefddb634fc9e85
                                                                                                                                                    • Instruction Fuzzy Hash: 3971C130519381CFD720EF29D84076EFBE1FF8A710F158A6CE9A497292D774A905CB52
                                                                                                                                                    Function 030B4DA6 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f9b2dfc4c38762be4380b8c1adef4f81c471a9d53f4b3fb7dc60d7cfa4c567b7
                                                                                                                                                    • Instruction ID: 2b1028cd82f32c1d50cbdd490312f8e8aefc7ac5682fff39ef05bcf64d88502b
                                                                                                                                                    • Opcode Fuzzy Hash: f9b2dfc4c38762be4380b8c1adef4f81c471a9d53f4b3fb7dc60d7cfa4c567b7
                                                                                                                                                    • Instruction Fuzzy Hash: A0818978502B408FD325CF29D994BA7BBF2AF46304F18891CD4AA8BB92D735F915CB50
                                                                                                                                                    Function 030E6810 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 71a6f5e04d1d397167b8a7cf380f5c83824304336bf0c1feb40cb3b2ccb95f74
                                                                                                                                                    • Instruction ID: 23762367b88b948a904651581d8e45f157f4ad0870337a26b4e324ab2e9addbb
                                                                                                                                                    • Opcode Fuzzy Hash: 71a6f5e04d1d397167b8a7cf380f5c83824304336bf0c1feb40cb3b2ccb95f74
                                                                                                                                                    • Instruction Fuzzy Hash: 8361E271B0A305AFD711DF14E880B2AFBEAEFE5314F18891DE5D58B291D732E8148B52
                                                                                                                                                    Function 030B4C20 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6829423a756ef9607a3df9b9d80063f978773b2d83c8880c93ada27b551875ca
                                                                                                                                                    • Instruction ID: 3c6be49f247c9faa478a770c07aefbe0283a77de391985db04703d6cfddab425
                                                                                                                                                    • Opcode Fuzzy Hash: 6829423a756ef9607a3df9b9d80063f978773b2d83c8880c93ada27b551875ca
                                                                                                                                                    • Instruction Fuzzy Hash: 3F716979502B008FD325DF29D890BA7BBF6AF85304F14891CD49A8BB52E736F915CB50
                                                                                                                                                    Function 030CF57C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 05d908d6890ae6d593c0a78b07aa8a9abd80db0f5daf7c0b6e7c0e42a1c08b2d
                                                                                                                                                    • Instruction ID: 2ad63515e4624de64f9f47d25b373287ad326c7a6fa77d39751728a0533d7460
                                                                                                                                                    • Opcode Fuzzy Hash: 05d908d6890ae6d593c0a78b07aa8a9abd80db0f5daf7c0b6e7c0e42a1c08b2d
                                                                                                                                                    • Instruction Fuzzy Hash: 515199B4D12219CFDB20DF98D8816AEBBF1FF45314F180099E845BB751D735AA41CB52
                                                                                                                                                    Function 030DFC50 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a227f88ed9e57a5e5bfba510073709d6a26efefdfe36ab547ca60b24c28ab221
                                                                                                                                                    • Instruction ID: 8bc46c5600706e50bb28ede56417984c9c23420eef46fa281f6112d7aebd0530
                                                                                                                                                    • Opcode Fuzzy Hash: a227f88ed9e57a5e5bfba510073709d6a26efefdfe36ab547ca60b24c28ab221
                                                                                                                                                    • Instruction Fuzzy Hash: 73516BB16097548FE324DF29D49435BBBE1BBC8318F044E2DE4E987350E379D6088B82
                                                                                                                                                    Function 030E56A0 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5618313927382ff7654edeaa66bd08af39ab3de33ff68c7068f3473da25189c1
                                                                                                                                                    • Instruction ID: d8ee16a800ad4d2cbafbe742806ba81d7d8aa1807905dfec15735c8b96904bcf
                                                                                                                                                    • Opcode Fuzzy Hash: 5618313927382ff7654edeaa66bd08af39ab3de33ff68c7068f3473da25189c1
                                                                                                                                                    • Instruction Fuzzy Hash: E9515D7870A240EFD724DA14E984A2BFBE5EF8A748F188C1CE5C99B251D331D850DB62
                                                                                                                                                    Function 030A9747 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: adc9452b30b1de360ea7a011a741e500b17fe832bd500a63fab3163b89f6f5f1
                                                                                                                                                    • Instruction ID: 3b12c321f1084a778e1c9de736c428c9cd81b5acbe4f78be6a829674d559a3a0
                                                                                                                                                    • Opcode Fuzzy Hash: adc9452b30b1de360ea7a011a741e500b17fe832bd500a63fab3163b89f6f5f1
                                                                                                                                                    • Instruction Fuzzy Hash: AA710275206B81CFC328CF28D094656FBF2BB59304F488A5DD4868BB82C775E959CB90
                                                                                                                                                    Function 030A5BE0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b8de05f097ea3a06193b42013bfc75a8473e1368ca9305864d94a3714147034c
                                                                                                                                                    • Instruction ID: 8ec6c9979bf3090ddfb1dd3fddb08c5c96c407972a0e404afac411660c461e25
                                                                                                                                                    • Opcode Fuzzy Hash: b8de05f097ea3a06193b42013bfc75a8473e1368ca9305864d94a3714147034c
                                                                                                                                                    • Instruction Fuzzy Hash: DB51B4B5A057009FC724DF9CE84092AB7E5FF8A324F19466CE8999F351DA31EC41CB92
                                                                                                                                                    Function 030AF032 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: eb7dcf7f40680adafd07609f9cf96c065785ed31f0b483b2e31e35c9f5ba8ac4
                                                                                                                                                    • Instruction ID: ec7d3196b9703a546ad498f9ca0fceb4489e0c91f67231153d3a7be185706ca7
                                                                                                                                                    • Opcode Fuzzy Hash: eb7dcf7f40680adafd07609f9cf96c065785ed31f0b483b2e31e35c9f5ba8ac4
                                                                                                                                                    • Instruction Fuzzy Hash: AA51D47190E381CFC329DF68E8916EAB7E2FBCA301F080E6CD59587685D3749549CB52
                                                                                                                                                    Function 030EBCA0 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b5f4c0d86da4921a193eb0fcc5c0191238561ca7974df0913e9f2bf83a1901f2
                                                                                                                                                    • Instruction ID: 1402fbf4beda00e6e053fa187a00065a49f741bbe474fbbcb2c231fd0b1b3f19
                                                                                                                                                    • Opcode Fuzzy Hash: b5f4c0d86da4921a193eb0fcc5c0191238561ca7974df0913e9f2bf83a1901f2
                                                                                                                                                    • Instruction Fuzzy Hash: 3E41817870E205AFD754EA58D890B7AF7E9EB85B14F28881CE5C99B241E331E810CB56
                                                                                                                                                    Function 030EAD40 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 79eaf081e148d047a017f9e929f06d5d57c8f7274000bbc2059ef99122120c32
                                                                                                                                                    • Instruction ID: 21dab90b939efb9d9d73c2b9dd0a4ea895e0439922db64575ddba163cbd9c2fb
                                                                                                                                                    • Opcode Fuzzy Hash: 79eaf081e148d047a017f9e929f06d5d57c8f7274000bbc2059ef99122120c32
                                                                                                                                                    • Instruction Fuzzy Hash: A2419F3561A251DFC708EF28E8A061EB3F5FF8D795F1A84B9D64587A45C338D860CB42
                                                                                                                                                    Function 030EBE20 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 81a711908fea49098deb754f08960552d8aba238403b928f6937b1db06df8ab2
                                                                                                                                                    • Instruction ID: eeecf22bf8bc77a51d2806e6c33f303a84459867668ea2015b62e8ead1ee6596
                                                                                                                                                    • Opcode Fuzzy Hash: 81a711908fea49098deb754f08960552d8aba238403b928f6937b1db06df8ab2
                                                                                                                                                    • Instruction Fuzzy Hash: CE416F3930E301AFD754DA54D890B2EF7EAEF85B14F28886CE5899B251D331E8108F52
                                                                                                                                                    Function 030B11E0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6502b1a74935b7e9f50679337d6116cb56e96eff26653c172b9628589b73af6c
                                                                                                                                                    • Instruction ID: 0dd41598e5256d29a971ed158af2c0637b53d0b5b28975287730a79a2a745970
                                                                                                                                                    • Opcode Fuzzy Hash: 6502b1a74935b7e9f50679337d6116cb56e96eff26653c172b9628589b73af6c
                                                                                                                                                    • Instruction Fuzzy Hash: ED4106727182514BD34CCA3E8C6026EBAE29FC9610F0DC63EF0E5CB785E67485069751
                                                                                                                                                    Function 030E1160 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c25c3208324afb261326ab1fc409434c8cc0f87fb6b34c1328f35c73dbb2607d
                                                                                                                                                    • Instruction ID: 3207431f130b13780f8616fecca6cdd8538c381b23ea507dc8a8203008bce664
                                                                                                                                                    • Opcode Fuzzy Hash: c25c3208324afb261326ab1fc409434c8cc0f87fb6b34c1328f35c73dbb2607d
                                                                                                                                                    • Instruction Fuzzy Hash: F6418DB560A301AFE714EF18E844B2FBBE5EF85704F04882CE5858B691D375D854CB62
                                                                                                                                                    Function 030E03D0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: dd648b976cd68e86c7396eb4c4d39d42fa318a3e92da1d975e51bc6770f5fe63
                                                                                                                                                    • Instruction ID: 705490b38c8327aa4e169f8410a3f57dbeab8d43d417f56e887eb97a3b30ebdd
                                                                                                                                                    • Opcode Fuzzy Hash: dd648b976cd68e86c7396eb4c4d39d42fa318a3e92da1d975e51bc6770f5fe63
                                                                                                                                                    • Instruction Fuzzy Hash: F9210A72A092154BC324DB5EC58153BF7E8EB89614F0AC62ED9C497254E375981487E1
                                                                                                                                                    Function 030A4B50 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: cc75d8784eb294bf5ace8313f37923410246a7b0efbc7bf10a42e69fa79346d8
                                                                                                                                                    • Instruction ID: 2d45dc18114c3dbe0eb2fa4cbc4897efb29150eb45f7190e3f3d908cb5d0515b
                                                                                                                                                    • Opcode Fuzzy Hash: cc75d8784eb294bf5ace8313f37923410246a7b0efbc7bf10a42e69fa79346d8
                                                                                                                                                    • Instruction Fuzzy Hash: 4B31E9386156008BD750DE9DE880B2AB7E5EFC4318F18896CE895CB341D375DC52CB41
                                                                                                                                                    Function 030B49F2 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 34ec1dff04c47a64498516f3b07262826e8506a667e6ee67375075c5cb9aa390
                                                                                                                                                    • Instruction ID: 8a69b7ff83ff67a5ef3bd0be7c0375e8933d352ba406ea16de93c62ea52b6f39
                                                                                                                                                    • Opcode Fuzzy Hash: 34ec1dff04c47a64498516f3b07262826e8506a667e6ee67375075c5cb9aa390
                                                                                                                                                    • Instruction Fuzzy Hash: 14316DB4901B008FD735CF68C480AA7B3F9AB45300F148A2DC8D78BA51E735F948CB91
                                                                                                                                                    Function 030DC5F0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                    • Instruction ID: f1c768903968de43749707463bad746f7c6651614bd513d1634530815b6861c1
                                                                                                                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                    • Instruction Fuzzy Hash: 4511A533A0A2E40ED316CD3C8400569BFE30A93579B5D97D9F4B89B2D6D622CD8AC355
                                                                                                                                                    Function 030D0FA0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: ed5c0b2faf46f86cceb0d4e5c3ea5bacb4bc81ad937c58a5fcc92a49dd20d367
                                                                                                                                                    • Instruction ID: 9eedb3a11eaf164728ce3261f036e8dd1977f7ad377dbff9ebaed917174e9fbd
                                                                                                                                                    • Opcode Fuzzy Hash: ed5c0b2faf46f86cceb0d4e5c3ea5bacb4bc81ad937c58a5fcc92a49dd20d367
                                                                                                                                                    • Instruction Fuzzy Hash: 2C01B1F570270147E760EE95E4C4B6BF2E8AF88604F1C102CD918DF602EB75E804C6A6
                                                                                                                                                    Function 030D305E Relevance: .1, Instructions: 52COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9cb78989a150cd95395bd4528ba8941ddfd5c658e726f2531a23fbbae8ee7b94
                                                                                                                                                    • Instruction ID: ebe19ed9cc5116a22f9386341e998885d22ddaa22729f21e18a049098d3bc600
                                                                                                                                                    • Opcode Fuzzy Hash: 9cb78989a150cd95395bd4528ba8941ddfd5c658e726f2531a23fbbae8ee7b94
                                                                                                                                                    • Instruction Fuzzy Hash: 15012578586F40DBC323CB74E654927FFF1AB46A057480F8ED6D287A26C224F410C716
                                                                                                                                                    Function 030A7020 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: fbcd24763009c78406556a2ab48d7e497e7782655dfb234a5cb191780e8f35eb
                                                                                                                                                    • Instruction ID: 547e284defd672de17b2a5962647e3ad718a02fe739ffffe16a04f4c9423c3ec
                                                                                                                                                    • Opcode Fuzzy Hash: fbcd24763009c78406556a2ab48d7e497e7782655dfb234a5cb191780e8f35eb
                                                                                                                                                    • Instruction Fuzzy Hash: 70F0E97671A9264BA314CCEEE8C0D27F3D6D7C5904B098438EA41D3205D535F40692A0
                                                                                                                                                    Function 030BAB30 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3c62eeb860c18e725f6d7fee5cee77680a44ad36796214bc67e143a05931bbb6
                                                                                                                                                    • Instruction ID: dd6e1040a8ac0b644ad56f168e049b7486e5f4eaa262e1e08f7df4a8ee140a5b
                                                                                                                                                    • Opcode Fuzzy Hash: 3c62eeb860c18e725f6d7fee5cee77680a44ad36796214bc67e143a05931bbb6
                                                                                                                                                    • Instruction Fuzzy Hash: 08F0A0B1B052106BDB22CD989C90FB7BBADCBCB264F1908A5E89597102D1A19C4483E6
                                                                                                                                                    Function 030E8EC0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3e329816d3177cf5c32aaa14d2c4c127e056bb114b1d2eb67e06d289b1bb2da2
                                                                                                                                                    • Instruction ID: b435b11f5c5cac8906b2c497030bbdd2cd3f9ffc7d770263cb903216190dbc1c
                                                                                                                                                    • Opcode Fuzzy Hash: 3e329816d3177cf5c32aaa14d2c4c127e056bb114b1d2eb67e06d289b1bb2da2
                                                                                                                                                    • Instruction Fuzzy Hash: 75F06D7050A240AFD300EF18D49492EFBF5EF46A01F048C1DE0C197251D336C850CB67
                                                                                                                                                    Function 030C91E6 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c6d2ebfd4cf50062c7e77ce93bc306b27cd06d312a2daa56950b7a62ec2f475a
                                                                                                                                                    • Instruction ID: e78df9581100ffc7cfffb67a56e9ae5df80cc8b54f4eaf472f92933b6f41947f
                                                                                                                                                    • Opcode Fuzzy Hash: c6d2ebfd4cf50062c7e77ce93bc306b27cd06d312a2daa56950b7a62ec2f475a
                                                                                                                                                    • Instruction Fuzzy Hash: 5F01CE7045D380CAE2A09F28D08879EBAE0FB96200F60885DD4D897225CE35C4849F9A
                                                                                                                                                    Function 030E2E70 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                                                                                                                                                    • Instruction ID: a4aace17ff4403755372562a747b12944ad8e3c30ca55a17f5be951a31d0d008
                                                                                                                                                    • Opcode Fuzzy Hash: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                                                                                                                                                    • Instruction Fuzzy Hash: 47E0CD7BB1662109576CCE16D801777F3E5EBC6711B4CA56ED441D3204D534C4404164
                                                                                                                                                    Function 030D5CD8 Relevance: 73.7, APIs: 1, Strings: 41, Instructions: 153memoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 639 30d5cd8-30d5d26 640 30d5d2b-30d5d39 639->640 640->640 641 30d5d3b 640->641 642 30d5d46-30d5d50 641->642 643 30d5d93-30d5f1e SysAllocString 642->643 644 30d5d52-30d5d91 call 30dc700 642->644 646 30d5f29-30d5f33 643->646 644->642 648 30d5f35-30d5f6e call 30dc780 646->648 649 30d5f70-30d5fe1 646->649 648->646
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocString
                                                                                                                                                    • String ID: $!$#$%$'$'$)$+$-$.$/$0$1$3$3$5$7$9$;$=$?$A$C$E$G$I$K$M$O$Q$S$U$W$Y$[$]$_$i$k$m$o
                                                                                                                                                    • API String ID: 2525500382-1658444415
                                                                                                                                                    • Opcode ID: 660592f5ea7d8bfe123969b11848c1a154b383319bf188f5cd00d5b16f3a70f3
                                                                                                                                                    • Instruction ID: 99509ded81984370e3e0af859c559acc190a2270d7f37a67a31178a79b02d31f
                                                                                                                                                    • Opcode Fuzzy Hash: 660592f5ea7d8bfe123969b11848c1a154b383319bf188f5cd00d5b16f3a70f3
                                                                                                                                                    • Instruction Fuzzy Hash: 4991916000D7C18DE372DB38888875BBFE16BA2224F484A9DE5E84B3D2C7B58545CB63
                                                                                                                                                    Function 030D66B3 Relevance: 73.7, APIs: 1, Strings: 41, Instructions: 151memoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 654 30d66b3-30d6709 655 30d670e-30d671c 654->655 655->655 656 30d671e 655->656 657 30d6729-30d6733 656->657 658 30d6735-30d6774 call 30dc700 657->658 659 30d6776-30d6901 SysAllocString 657->659 658->657 661 30d690c-30d6916 659->661 663 30d6918-30d6951 call 30dc780 661->663 664 30d6953-30d69a9 661->664 663->661
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocString
                                                                                                                                                    • String ID: $!$#$%$'$'$)$+$-$.$/$0$1$3$3$5$7$9$;$=$?$A$C$E$G$I$K$M$O$Q$S$U$W$Y$[$]$_$i$k$m$o
                                                                                                                                                    • API String ID: 2525500382-1658444415
                                                                                                                                                    • Opcode ID: 98dcd98d4793048d1c22f97e12ab7bfaf4270e254dd7b6483d455bf551308985
                                                                                                                                                    • Instruction ID: 1aa134884267714232c9752220a0bc91d488795ab6a6f08ba5ad2df88f7d08c2
                                                                                                                                                    • Opcode Fuzzy Hash: 98dcd98d4793048d1c22f97e12ab7bfaf4270e254dd7b6483d455bf551308985
                                                                                                                                                    • Instruction Fuzzy Hash: 5391A46000C7C1CDD372DB78984875BBFE16BA3224F484A9DE1E94B3D2C7A58449C767
                                                                                                                                                    Function 030D75C2 Relevance: 54.3, APIs: 1, Strings: 30, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 669 30d75c2-30d76e7 VariantInit 670 30d76ec-30d76fa 669->670 670->670 671 30d76fc-30d7715 670->671
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitVariant
                                                                                                                                                    • String ID: !$)$1$3$7$8$9$9$;$<$=$?$?$A$C$E$G$I$K$L$L$M$N$O$O$U$U$V$W$s
                                                                                                                                                    • API String ID: 1927566239-337729411
                                                                                                                                                    • Opcode ID: 718fd8dca19b98aaeaa5238bf989cd9f972d9bc3a7e509fd7d55148706887d04
                                                                                                                                                    • Instruction ID: c051f8d468f665c9785ed575fa959ea12584dcb590e23c132b27150a9641d7dd
                                                                                                                                                    • Opcode Fuzzy Hash: 718fd8dca19b98aaeaa5238bf989cd9f972d9bc3a7e509fd7d55148706887d04
                                                                                                                                                    • Instruction Fuzzy Hash: 73315EA060C7C0CDE3329638D45979BBED55BA3348F48489EC5CC4B283C7BA0649C72B
                                                                                                                                                    Function 030D6D26 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit
                                                                                                                                                    • String ID: )$1$3$5$7$8$9$9$:$J
                                                                                                                                                    • API String ID: 2610073882-3263170428
                                                                                                                                                    • Opcode ID: f9c42060ff021d11bf10bce0da0d8dfc7c2ea4c45e3c7e2091c458f9dd7e0ae0
                                                                                                                                                    • Instruction ID: c943570206399459f88890a086ad8ca722d72dafb9889094fffcfa748b4ecac5
                                                                                                                                                    • Opcode Fuzzy Hash: f9c42060ff021d11bf10bce0da0d8dfc7c2ea4c45e3c7e2091c458f9dd7e0ae0
                                                                                                                                                    • Instruction Fuzzy Hash: 9A41C27000C7C1CAD332DB2894987DEBFE4AB96314F484E9ED4E98B292C7755206CB63
                                                                                                                                                    Function 030D8EA1 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 89COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitVariant
                                                                                                                                                    • String ID: a$c$e$g$i$k$m$o$q$s
                                                                                                                                                    • API String ID: 1927566239-4288921106
                                                                                                                                                    • Opcode ID: 6c73ba1a53b11fa23324d3f2ef58d29856d75b7cbc87cdf77315dcbc30fbb0aa
                                                                                                                                                    • Instruction ID: f8172daa32f9d8b87eabb576b46bdff68c2f8e26beffdcc136b626f844f7b3c7
                                                                                                                                                    • Opcode Fuzzy Hash: 6c73ba1a53b11fa23324d3f2ef58d29856d75b7cbc87cdf77315dcbc30fbb0aa
                                                                                                                                                    • Instruction Fuzzy Hash: 7251BF6010C7C1CEE332DB28845979BBFE1AB92314F188A9DD0DD8B382CBB55549CB63
                                                                                                                                                    Function 030D8C13 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitVariant
                                                                                                                                                    • String ID: a$c$e$g$i$k$m$o$q$s
                                                                                                                                                    • API String ID: 1927566239-4288921106
                                                                                                                                                    • Opcode ID: b2f5d2a25d0f11c32be5ea58498346141c90dc8aba026e2e471e79e4b2f07a66
                                                                                                                                                    • Instruction ID: 29a91d52db6cbbac7f47ac421ccad52d6a87f0ae828422c9e8a6e47310eff1a0
                                                                                                                                                    • Opcode Fuzzy Hash: b2f5d2a25d0f11c32be5ea58498346141c90dc8aba026e2e471e79e4b2f07a66
                                                                                                                                                    • Instruction Fuzzy Hash: 5341826050D7C1CEE331DB388459B9ABFE0AB96314F088A9DD4DD8B2D2C7B54549CB63
                                                                                                                                                    Function 030D94BA Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 147memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocString
                                                                                                                                                    • String ID: 0$`$i$j$m$n$q$|$}
                                                                                                                                                    • API String ID: 2525500382-1032352773
                                                                                                                                                    • Opcode ID: 720d552fe69cdf2b9846e9855931acab690e0809c756e7b1dd8f6bcbfcd219c3
                                                                                                                                                    • Instruction ID: 221546d2716847665ec19a0a1436d836c99155e08dd542b4b1883ef833a891bb
                                                                                                                                                    • Opcode Fuzzy Hash: 720d552fe69cdf2b9846e9855931acab690e0809c756e7b1dd8f6bcbfcd219c3
                                                                                                                                                    • Instruction Fuzzy Hash: 6981702050DBC28ED332DA7C844864ABFE16BA7224F584B9DF5F54B3E2C3658546CB63
                                                                                                                                                    Function 030D8720 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 144memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocString
                                                                                                                                                    • String ID: 0$`$i$j$m$n$q$|$}
                                                                                                                                                    • API String ID: 2525500382-1032352773
                                                                                                                                                    • Opcode ID: 776fde90e06e6311bb3c3fbeae7f806b06a31a503f5c5fdc3616de8419789aad
                                                                                                                                                    • Instruction ID: c2577326c93cfc7c9c28a06e6e8e81be600685e4c0816b07b79b183437433900
                                                                                                                                                    • Opcode Fuzzy Hash: 776fde90e06e6311bb3c3fbeae7f806b06a31a503f5c5fdc3616de8419789aad
                                                                                                                                                    • Instruction Fuzzy Hash: AA81706010DBC28AD372DA7C944864EBFE16BA7224F584B8DF1F54B3E2C3658546CB63
                                                                                                                                                    Function 030B20C7 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 297COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(1FAD195F,00000104), ref: 030B24E3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectorySystem
                                                                                                                                                    • String ID: % 3$QW$U7[$%
                                                                                                                                                    • API String ID: 2188284642-2017673355
                                                                                                                                                    • Opcode ID: a1871ab7f00e97f2115976a3ca2a5db9ef76e79f1ad5df410118aa12c64d5e84
                                                                                                                                                    • Instruction ID: b678e5e805d3a922e57a16fad8fca5110d02c89660590793d8e00052909262b9
                                                                                                                                                    • Opcode Fuzzy Hash: a1871ab7f00e97f2115976a3ca2a5db9ef76e79f1ad5df410118aa12c64d5e84
                                                                                                                                                    • Instruction Fuzzy Hash: B6B176B84093818ED7B1CF149494BEFFBF9AB96304F184C5DD4D99B202CB359589CB62
                                                                                                                                                    Function 030E09BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SysAllocString.OLEAUT32(C3B3C1B7), ref: 030E0A27
                                                                                                                                                    • SysAllocString.OLEAUT32(3F7B398F), ref: 030E0AE0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocString
                                                                                                                                                    • String ID: D%D+$H)d/$p=g#
                                                                                                                                                    • API String ID: 2525500382-116853379
                                                                                                                                                    • Opcode ID: abff4fe9979d3670a85b46ebf0dfecefe10215b3c70ab16234cc9c4f9e978190
                                                                                                                                                    • Instruction ID: 7b4bef2c45f4174af1811871c83924f57b1bfe02a2f8ff648d4e9a7c3ef1e390
                                                                                                                                                    • Opcode Fuzzy Hash: abff4fe9979d3670a85b46ebf0dfecefe10215b3c70ab16234cc9c4f9e978190
                                                                                                                                                    • Instruction Fuzzy Hash: 8631FDB0619381AFD350DF55D888A1FBFE4FB82284F94890DF4C98B221C375D844CBA2
                                                                                                                                                    Function 030D9169 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit
                                                                                                                                                    • String ID: i$o$x
                                                                                                                                                    • API String ID: 2610073882-2448248573
                                                                                                                                                    • Opcode ID: 6aff7cb2827332dbc9f347126882770af8a3519420a0fdeca19093f1537c1a1b
                                                                                                                                                    • Instruction ID: b551027863e8877247d35912764bf152e080853f56e94e1415a6d3ffb1c667b9
                                                                                                                                                    • Opcode Fuzzy Hash: 6aff7cb2827332dbc9f347126882770af8a3519420a0fdeca19093f1537c1a1b
                                                                                                                                                    • Instruction Fuzzy Hash: 2541C47010D7C4CED375DB2884997DABFE0ABA6314F084A9DD5D84B382C7B55288CBA3
                                                                                                                                                    Function 030D63F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String
                                                                                                                                                    • String ID: E$e
                                                                                                                                                    • API String ID: 2568140703-1159782984
                                                                                                                                                    • Opcode ID: 3d798b754b71a5803e2e183e7cef43b385a2a8ed0b268398c6191abdc7b91529
                                                                                                                                                    • Instruction ID: a744033b83a302b6d8ed045041cf4e527fab4f98dd2d7db7c7dae57b12eff239
                                                                                                                                                    • Opcode Fuzzy Hash: 3d798b754b71a5803e2e183e7cef43b385a2a8ed0b268398c6191abdc7b91529
                                                                                                                                                    • Instruction Fuzzy Hash: F451B271A097818FC339CE2C84903AEB7D2ABD9224F194B6DD8E9D73D5DA358841C752
                                                                                                                                                    Function 030D60A1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: String
                                                                                                                                                    • String ID: E$e
                                                                                                                                                    • API String ID: 2568140703-1159782984
                                                                                                                                                    • Opcode ID: 35580179e1e447dbf74b203e6bc4889329ab998a16571573783a9413ad4142c9
                                                                                                                                                    • Instruction ID: aa06ffdd42b256c77edd4dea07adf9d11e542ea752e1e09c2fb367dc54437838
                                                                                                                                                    • Opcode Fuzzy Hash: 35580179e1e447dbf74b203e6bc4889329ab998a16571573783a9413ad4142c9
                                                                                                                                                    • Instruction Fuzzy Hash: C35183717097918FC729CA2CC8503AEB7D26BD9224F5D4B2DE4EAD73D1DA358841C742
                                                                                                                                                    Function 030DA669 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4116985748-3916222277
                                                                                                                                                    • Opcode ID: 89a0b1b5e7a5d08f27a4ab42854c9c4ef7818f42889c0f734cff28c4c926687c
                                                                                                                                                    • Instruction ID: 587ec3d62fc882e40b1a85db4fc0f156a86fa1adb4a654c8a9cd9b64890adc4b
                                                                                                                                                    • Opcode Fuzzy Hash: 89a0b1b5e7a5d08f27a4ab42854c9c4ef7818f42889c0f734cff28c4c926687c
                                                                                                                                                    • Instruction Fuzzy Hash: 6A418EB4D052088FDB40EFA8E58469EBBF0EB88310F11856DE498E7354D774A984CF92
                                                                                                                                                    Function 030DAF5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2492212349.00000000030A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_30a0000_BitLockerToGo.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4116985748-3916222277
                                                                                                                                                    • Opcode ID: 2e718b28957fe8683addfa482c1ec9e445874e50ef349a35e4c75f715af7a3e8
                                                                                                                                                    • Instruction ID: 89386db6aba853ea2435f6af66e5389af6561e7b90ff38eb9f6874d8a03d4739
                                                                                                                                                    • Opcode Fuzzy Hash: 2e718b28957fe8683addfa482c1ec9e445874e50ef349a35e4c75f715af7a3e8
                                                                                                                                                    • Instruction Fuzzy Hash: EE315DB09193158FD740EF68D98565EBBF0FB88300F01856DE498E7255D774A988CF82