Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EKAHephXb2.exe

Overview

General Information

Sample name:EKAHephXb2.exe
renamed because original name is a hash value
Original sample name:c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf.exe
Analysis ID:1524040
MD5:6cf54ce259904e8ee54d521a8c85aff1
SHA1:7ebab8469454f1954b8fec645b921f316eda9ddc
SHA256:c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf
Tags:exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score:99
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EKAHephXb2.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\EKAHephXb2.exe" MD5: 6CF54CE259904E8EE54D521A8C85AFF1)
    • BitLockerToGo.exe (PID: 7616 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["reggwardssdqw.shop", "eemmbryequo.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "tendencctywop.shop", "licenseodqwmqn.shop", "relaxatinownio.shop", "tesecuuweqo.shop"], "Build id": "c2CoW0--4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
EKAHephXb2.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000003.1798475742.00000145E3200000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          00000000.00000003.1822185696.00000145E31A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            00000000.00000002.1826819388.000000C0009F8000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.BitLockerToGo.exe.410000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                0.2.EKAHephXb2.exe.c000830000.4.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  0.3.EKAHephXb2.exe.145e31a0000.4.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                    3.2.BitLockerToGo.exe.410000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                      0.2.EKAHephXb2.exe.c0007da000.2.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                        Click to see the 8 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:02.469562+020020546531A Network Trojan was detected192.168.2.949714104.21.16.12443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:02.469562+020020498361A Network Trojan was detected192.168.2.949714104.21.16.12443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.248127+020020558791Domain Observed Used for C2 Detected192.168.2.9502131.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.174781+020020558811Domain Observed Used for C2 Detected192.168.2.9635931.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.186584+020020558831Domain Observed Used for C2 Detected192.168.2.9609871.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.232835+020020558851Domain Observed Used for C2 Detected192.168.2.9511491.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.219342+020020558871Domain Observed Used for C2 Detected192.168.2.9512171.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:04:59.984970+020020558911Domain Observed Used for C2 Detected192.168.2.9591731.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.202113+020020558931Domain Observed Used for C2 Detected192.168.2.9605391.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-02T15:05:00.259045+020020558951Domain Observed Used for C2 Detected192.168.2.9492841.1.1.153UDP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
                        Found malware configuration
                        Source: 0.2.EKAHephXb2.exe.c000830000.4.unpackMalware Configuration Extractor: LummaC {"C2 url": ["reggwardssdqw.shop", "eemmbryequo.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "tendencctywop.shop", "licenseodqwmqn.shop", "relaxatinownio.shop", "tesecuuweqo.shop"], "Build id": "c2CoW0--4"}
                        Multi AV Scanner detection for submitted file
                        Source: EKAHephXb2.exeReversingLabs: Detection: 47%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
                        Sample uses string decryption to hide its real strings
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: tryyudjasudqo.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: eemmbryequo.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: reggwardssdqw.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: relaxatinownio.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: tesecuuweqo.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: tendencctywop.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: licenseodqwmqn.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: keennylrwmqlw.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: tendencctywop.shop
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                        Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmpString decryptor: c2CoW0--4
                        Source: EKAHephXb2.exeStatic PE information: certificate valid
                        Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49713 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.9:49714 version: TLS 1.2
                        Source: EKAHephXb2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: BitLockerToGo.pdb source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: BitLockerToGo.pdbGCTL source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 68677325h3_2_0045259A
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 2EE0190Fh3_2_00452844
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_0041FA80
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_0043D040
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_0042E010
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042E010
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx3_2_0042E010
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_004330D0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]3_2_0044D0D0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0043C0DE
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push 00000040h3_2_0042C143
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx3_2_00431170
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]3_2_0043B1C3
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00448180
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0044F260
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00433330
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [ebx]3_2_00456330
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [esp]3_2_004203C0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004203C0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004203C0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, ecx3_2_004233D8
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, eax3_2_0041E395
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042B450
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+48h]3_2_0042D425
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_0043D4F0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 2EE8D390h3_2_0044F530
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then dec eax3_2_004135E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]3_2_004155F0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+00000130h]3_2_004216C7
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [eax+edi+02h], 0000h3_2_0043A6A1
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+30h], edi3_2_004547C0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esi+7Ch]3_2_0043D7E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0043D7E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0043D7E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h3_2_0042A7F0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00437860
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+00000178h]3_2_0042B832
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_0041FA1F
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]3_2_00416A30
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh3_2_0044FAC0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0044FAC0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_0043CAA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [ecx]3_2_00439ABB
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, dword ptr [esp]3_2_0041BB00
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_00452BCC
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp]3_2_00455B90
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 0633C81Dh3_2_00433C4D
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00453C20
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+48h]3_2_0042BCC5
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_00422CA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp dword ptr [0045D7ECh]3_2_0043ACB6
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_00422D50
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, eax3_2_00439D5A
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]3_2_0043AD66
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_0041ED30
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h3_2_00424E0F
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_00435EA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_00435EA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_00435EA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_00435EA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax3_2_00438EA9
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]3_2_00438EA9
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_00423F0E
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]3_2_00420F18
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_00434FD0

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2055893 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop) : 192.168.2.9:60539 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055885 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop) : 192.168.2.9:51149 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055891 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop) : 192.168.2.9:59173 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055881 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop) : 192.168.2.9:63593 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055879 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) : 192.168.2.9:50213 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055895 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop) : 192.168.2.9:49284 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055887 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop) : 192.168.2.9:51217 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2055883 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop) : 192.168.2.9:60987 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49714 -> 104.21.16.12:443
                        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49714 -> 104.21.16.12:443
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: reggwardssdqw.shop
                        Source: Malware configuration extractorURLs: eemmbryequo.shop
                        Source: Malware configuration extractorURLs: tryyudjasudqo.shop
                        Source: Malware configuration extractorURLs: keennylrwmqlw.shop
                        Source: Malware configuration extractorURLs: tendencctywop.shop
                        Source: Malware configuration extractorURLs: licenseodqwmqn.shop
                        Source: Malware configuration extractorURLs: relaxatinownio.shop
                        Source: Malware configuration extractorURLs: tesecuuweqo.shop
                        Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                        Source: Joe Sandbox ViewIP Address: 104.21.16.12 104.21.16.12
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                        Source: global trafficDNS traffic detected: DNS query: tendencctywop.shop
                        Source: global trafficDNS traffic detected: DNS query: keennylrwmqlw.shop
                        Source: global trafficDNS traffic detected: DNS query: licenseodqwmqn.shop
                        Source: global trafficDNS traffic detected: DNS query: tesecuuweqo.shop
                        Source: global trafficDNS traffic detected: DNS query: relaxatinownio.shop
                        Source: global trafficDNS traffic detected: DNS query: reggwardssdqw.shop
                        Source: global trafficDNS traffic detected: DNS query: eemmbryequo.shop
                        Source: global trafficDNS traffic detected: DNS query: tryyudjasudqo.shop
                        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                        Source: global trafficDNS traffic detected: DNS query: gravvitywio.store
                        Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
                        Source: EKAHephXb2.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
                        Source: EKAHephXb2.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
                        Source: EKAHephXb2.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                        Source: EKAHephXb2.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                        Source: EKAHephXb2.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://earth.google.com/kml/2.0
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://earth.google.com/kml/2.1
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://earth.google.com/kml/2.2
                        Source: EKAHephXb2.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                        Source: EKAHephXb2.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                        Source: EKAHephXb2.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
                        Source: EKAHephXb2.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                        Source: EKAHephXb2.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                        Source: EKAHephXb2.exeString found in binary or memory: http://subca.ocsp-certum.com02
                        Source: EKAHephXb2.exeString found in binary or memory: http://www.certum.pl/CPS0
                        Source: EKAHephXb2.exeString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C00015A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/gml
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/gml/3.2
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/gml/3.3/exr
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/kml/2.2
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.topografix.com/GPX/1/1
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                        Source: EKAHephXb2.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
                        Source: BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/api
                        Source: BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gravvitywio.store/apib
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                        Source: EKAHephXb2.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictCount
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                        Source: BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                        Source: BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900p
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                        Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                        Source: EKAHephXb2.exeString found in binary or memory: https://www.certum.pl/CPS0
                        Source: EKAHephXb2.exeString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                        Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49713 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.9:49714 version: TLS 1.2
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004443D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004443D0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004443D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004443D0

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 00000000.00000002.1825888626.000000C000644000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                        Source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041F3E03_2_0041F3E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041FA803_2_0041FA80
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041CD303_2_0041CD30
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041FF363_2_0041FF36
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004110003_2_00411000
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042E0103_2_0042E010
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004560103_2_00456010
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004181403_2_00418140
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0044A1603_2_0044A160
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0044B1223_2_0044B122
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043B1C33_2_0043B1C3
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004531803_2_00453180
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004542123_2_00454212
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004112DD3_2_004112DD
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004382B03_2_004382B0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004503403_2_00450340
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004333303_2_00433330
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004563303_2_00456330
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004203C03_2_004203C0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004233D83_2_004233D8
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041A3F03_2_0041A3F0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004533B03_2_004533B0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004244443_2_00424444
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043946D3_2_0043946D
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043948B3_2_0043948B
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042F4903_2_0042F490
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004135E03_2_004135E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0044B6503_2_0044B650
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004546D03_2_004546D0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004536F03_2_004536F0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004566903_2_00456690
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004547C03_2_004547C0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043D7E03_2_0043D7E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004557E03_2_004557E0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004347803_2_00434780
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004177A03_2_004177A0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004357AE3_2_004357AE
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004378603_2_00437860
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042B8323_2_0042B832
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043A8AD3_2_0043A8AD
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D8B03_2_0041D8B0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043B9703_2_0043B970
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043890E3_2_0043890E
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00419A5B3_2_00419A5B
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041FA1F3_2_0041FA1F
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0044FAC03_2_0044FAC0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00454AF03_2_00454AF0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041AA903_2_0041AA90
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00439ABB3_2_00439ABB
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041BB003_2_0041BB00
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00418B203_2_00418B20
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00452BCC3_2_00452BCC
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00424B8D3_2_00424B8D
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00433C4D3_2_00433C4D
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042DC233_2_0042DC23
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00453C203_2_00453C20
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042BCC53_2_0042BCC5
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00455CD03_2_00455CD0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00420CE03_2_00420CE0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00422CA03_2_00422CA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00422D503_2_00422D50
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00439D5A3_2_00439D5A
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00414D003_2_00414D00
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041ED303_2_0041ED30
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00418DFD3_2_00418DFD
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00416D803_2_00416D80
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00424E0F3_2_00424E0F
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00419E803_2_00419E80
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00435EA03_2_00435EA0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00438EA93_2_00438EA9
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00423F0E3_2_00423F0E
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041AFF03_2_0041AFF0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0044EFB03_2_0044EFB0
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0041E010 appears 182 times
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0041C640 appears 64 times
                        Source: EKAHephXb2.exeStatic PE information: Number of sections : 12 > 10
                        Source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EKAHephXb2.exe
                        Source: EKAHephXb2.exe, 00000000.00000000.1358938721.00007FF6CD3C8000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameProjectOverviewP. vs EKAHephXb2.exe
                        Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EKAHephXb2.exe
                        Source: EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EKAHephXb2.exe
                        Source: EKAHephXb2.exeBinary or memory string: OriginalFilenameProjectOverviewP. vs EKAHephXb2.exe
                        Source: 00000000.00000002.1825888626.000000C000644000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                        Source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                        Source: classification engineClassification label: mal99.troj.evad.winEXE@3/0@10/2
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004330D0 CoCreateInstance,3_2_004330D0
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeFile created: C:\Users\Public\Libraries\egabm.scifJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeFile opened: C:\Windows\system32\65a273b3cd66a6a4bd7cab6abfe637daac675d2498d30b024507bdf6a671ab50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
                        Source: EKAHephXb2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: EKAHephXb2.exe, 00000000.00000000.1357843651.00007FF6CC9F5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SelectExprDprotobuf:"bytes,5,opt,name=select_expr,json=selectExpr,proto3,oneof"P*func(context.Context, string, *net.TCPAddr, *net.TCPAddr) (*net.TCPConn, error)P*struct { *promhttp.responseWriterDelegator; http.Hijacker; http.CloseNotifier }P*struct { *promhttp.responseWriterDelegator; io.ReaderFrom; http.CloseNotifier }P*func([]uint8, protoreflect.Value, uint64, impl.marshalOptions) ([]uint8, error)P*struct { F uintptr; X0 impl.Converter; X1 impl.offset; X2 reflect.StructField }P*struct { F uintptr; X0 impl.offset; X1 reflect.StructField; X2 impl.Converter }P*struct { F uintptr; X0 reflect.Type; X1 map[reflect.Type]*impl.coderFieldInfo }P*struct { F uintptr; X0 reflect.Type; X1 reflect.Type; X2 *impl.coderFieldInfo }
                        Source: EKAHephXb2.exeReversingLabs: Detection: 47%
                        Source: EKAHephXb2.exeString found in binary or memory: EyzcLWJeHl/load.go
                        Source: EKAHephXb2.exeString found in binary or memory: github.com/brianvoe/gofakeit@v3.18.0+incompatible/data/address.go
                        Source: EKAHephXb2.exeString found in binary or memory: github.com/xo/terminfo@v0.0.0-20210125001918-ca9a967f8778/load.go
                        Source: EKAHephXb2.exeString found in binary or memory: net/addrselect.go
                        Source: EKAHephXb2.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                        Source: EKAHephXb2.exeString found in binary or memory: 0-9a-zA-Z]^data:((?:\w+\/(?:([^;]|;[^;]).)+)?)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
                        Source: EKAHephXb2.exeString found in binary or memory: 0-9a-zA-Z]^data:((?:\w+\/(?:([^;]|;[^;]).)+)?)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
                        Source: EKAHephXb2.exeString found in binary or memory: net/addrselect.go
                        Source: EKAHephXb2.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                        Source: EKAHephXb2.exeString found in binary or memory: github.com/brianvoe/gofakeit@v3.18.0+incompatible/data/address.go
                        Source: EKAHephXb2.exeString found in binary or memory: github.com/xo/terminfo@v0.0.0-20210125001918-ca9a967f8778/load.go
                        Source: EKAHephXb2.exeString found in binary or memory: EyzcLWJeHl/load.go
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeFile read: C:\Users\user\Desktop\EKAHephXb2.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\EKAHephXb2.exe "C:\Users\user\Desktop\EKAHephXb2.exe"
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                        Source: EKAHephXb2.exeStatic PE information: certificate valid
                        Source: EKAHephXb2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: EKAHephXb2.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: EKAHephXb2.exeStatic file information: File size 14931192 > 1048576
                        Source: EKAHephXb2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x47da00
                        Source: EKAHephXb2.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x8f1600
                        Source: EKAHephXb2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: BitLockerToGo.pdb source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: BitLockerToGo.pdbGCTL source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
                        Source: EKAHephXb2.exeStatic PE information: section name: .xdata
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7636Thread sleep time: -60000s >= -30000sJump to behavior
                        Source: EKAHephXb2.exe, 00000000.00000002.1827188067.00000145BDA68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEEH
                        Source: BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: EKAHephXb2.exeBinary or memory string: depgithub.com/vmware/govmomiv0.43.0h1:7Kg3Bkdly+TrE67BYXzRq7ZrDnn7xqpKX95uEh2f9Go=
                        Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXl^%SystemRoot%\system32\mswsock.dllll
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00451C60 LdrInitializeThunk,3_2_00451C60

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 410000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 410000 value starts with: 4D5AJump to behavior
                        LummaC encrypted strings found
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tryyudjasudqo.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: eemmbryequo.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: reggwardssdqw.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: relaxatinownio.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tesecuuweqo.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tendencctywop.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: licenseodqwmqn.shop
                        Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keennylrwmqlw.shop
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 410000Jump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 36C008Jump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeQueries volume information: C:\Users\user\Desktop\EKAHephXb2.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\EKAHephXb2.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                        Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Go Injector
                        Source: Yara matchFile source: EKAHephXb2.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.7ff6cc510000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.EKAHephXb2.exe.7ff6cc510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1831653920.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1357843651.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EKAHephXb2.exe PID: 7256, type: MEMORYSTR
                        Yara detected LummaC Stealer
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Source: Yara matchFile source: 3.2.BitLockerToGo.exe.410000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c000830000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e31a0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.BitLockerToGo.exe.410000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c0007da000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c000830000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c0009f8000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e3200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c0009f8000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e31a0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e3200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1798475742.00000145E3200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1822185696.00000145E31A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1826819388.000000C0009F8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                        Remote Access Functionality

                        barindex
                        Yara detected Go Injector
                        Source: Yara matchFile source: EKAHephXb2.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.7ff6cc510000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.EKAHephXb2.exe.7ff6cc510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1831653920.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1357843651.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EKAHephXb2.exe PID: 7256, type: MEMORYSTR
                        Yara detected LummaC Stealer
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Source: Yara matchFile source: 3.2.BitLockerToGo.exe.410000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c000830000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e31a0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.BitLockerToGo.exe.410000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c0007da000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c000830000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c0009f8000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e3200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EKAHephXb2.exe.c0009f8000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e31a0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.EKAHephXb2.exe.145e3200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1798475742.00000145E3200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1822185696.00000145E31A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1826819388.000000C0009F8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		311
                        Process Injection                        		1
                        Masquerading                        		OS Credential Dumping1
                        Security Software Discovery                        		Remote Services1
                        Archive Collected Data                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        PowerShell                        		Boot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Virtualization/Sandbox Evasion                        		LSASS Memory1
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol2
                        Clipboard Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                        Process Injection                        		Security Account Manager12
                        System Information Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Deobfuscate/Decode Files or Information                        		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                        Obfuscated Files or Information                        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        EKAHephXb2.exe47%ReversingLabsWin64.Trojan.Lumma

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                        https://help.steampowered.com/en/0%URL Reputationsafe
                        https://store.steampowered.com/news/0%URL Reputationsafe
                        https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                        http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                        http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                        https://store.steampowered.com/stats/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                        https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                        https://store.steampowered.com/legal/0%URL Reputationsafe
                        http://www.certum.pl/CPS00%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
                        https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
                        http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                        https://store.steampowered.com/points/shop/0%URL Reputationsafe
                        https://store.steampowered.com/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
                        https://www.certum.pl/CPS00%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                        https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                        https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                        http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
                        https://store.steampowered.com/mobile0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=english0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=engl0%URL Reputationsafe
                        https://store.steampowered.com/about/0%URL Reputationsafe
                        https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        steamcommunity.com
                        		104.102.49.254
                        		truefalse
                          		unknown
                          gravvitywio.store
                          		104.21.16.12
                          		truetrue
                            		unknown
                            tryyudjasudqo.shop
                            		unknown
                            		unknowntrue
                              		unknown
                              keennylrwmqlw.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                reggwardssdqw.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  tesecuuweqo.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    tendencctywop.shop
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      eemmbryequo.shop
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        licenseodqwmqn.shop
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          relaxatinownio.shop
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            reggwardssdqw.shoptrue
                                              		unknown
                                              licenseodqwmqn.shoptrue
                                                		unknown
                                                relaxatinownio.shoptrue
                                                  		unknown
                                                  keennylrwmqlw.shoptrue
                                                    		unknown
                                                    tendencctywop.shoptrue
                                                      		unknown
                                                      https://gravvitywio.store/apitrue
                                                        		unknown
                                                        tryyudjasudqo.shoptrue
                                                          		unknown
                                                          https://steamcommunity.com/profiles/76561199724331900true
                                                          • URL Reputation: malware
                                                          		unknown
                                                          tesecuuweqo.shoptrue
                                                            		unknown
                                                            eemmbryequo.shoptrue
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://help.steampowered.com/en/BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://steamcommunity.com/market/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://store.steampowered.com/news/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZKBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://github.com/golang/protobuf/issues/1609):EKAHephXb2.exefalse
                                                                          		unknown
                                                                          https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://repository.certum.pl/cevcsca2021.cer0EKAHephXb2.exefalse
                                                                              		unknown
                                                                              https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&amp;l=eBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://gravvitywio.store/BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.opengis.net/gmlEKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://store.steampowered.com/stats/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.collada.org/2005/11/COLLADASchemaEKAHephXb2.exefalse
                                                                                          		unknown
                                                                                          http://www.topografix.com/GPX/1/1EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://subca.ocsp-certum.com02EKAHephXb2.exefalse
                                                                                              		unknown
                                                                                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.opengis.net/gml/3.2EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://crl.certum.pl/ctnca2.crl0lEKAHephXb2.exefalse
                                                                                                    		unknown
                                                                                                    http://repository.certum.pl/ctnca2.cer09EKAHephXb2.exefalse
                                                                                                      		unknown
                                                                                                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://gravvitywio.store/apibBitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://steamcommunity.com/profiles/76561199724331900pBitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                            		unknown
                                                                                                            https://store.steampowered.com/legal/BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.certum.pl/CPS0EKAHephXb2.exefalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://cevcsca2021.ocsp-certum.com07EKAHephXb2.exefalse
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englBitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://store.steampowered.com/BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wEKAHephXb2.exefalse
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.certum.pl/CPS0EKAHephXb2.exefalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • URL Reputation: malware
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://earth.google.com/kml/2.2EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://earth.google.com/kml/2.0EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://earth.google.com/kml/2.1EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2EKAHephXb2.exe, 00000000.00000002.1822420580.000000C00015A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://store.steampowered.com/account/cookiepreferences/BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.opengis.net/kml/2.2EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://store.steampowered.com/mobileBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://www.opengis.net/gml/3.3/exrEKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://avatars.akamai.steamstaticBitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://steamcommunity.com/BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=englishBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=englBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://protobuf.dev/reference/go/faq#namespace-conflictCountEKAHephXb2.exefalse
                                                                                                                                      		unknown
                                                                                                                                      https://store.steampowered.com/about/BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://steamcommunity.com/profiles/76561199724331900/badgesBitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                      • URL Reputation: malware
                                                                                                                                      		unknown

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      104.102.49.254
                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                      		16625AKAMAI-ASUSfalse
                                                                                                                                      104.21.16.12
                                                                                                                                      		gravvitywio.storeUnited States
                                                                                                                                      		13335CLOUDFLARENETUStrue

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                      Analysis ID:1524040
                                                                                                                                      Start date and time:2024-10-02 15:03:19 +02:00
                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 4m 0s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                      Number of analysed new started processes analysed:6
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample name:EKAHephXb2.exe
                                                                                                                                      renamed because original name is a hash value
                                                                                                                                      Original Sample Name:c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf.exe
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal99.troj.evad.winEXE@3/0@10/2
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 50%
                                                                                                                                      HCA Information:Failed
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                      • Stop behavior analysis, all processes terminated

                                                                                                                                      Warnings

                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                      • Execution Graph export aborted for target EKAHephXb2.exe, PID 7256 because there are no executed function
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • VT rate limit hit for: EKAHephXb2.exe

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      09:04:59API Interceptor3x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                      • www.valvesoftware.com/legal.htm
                                                                                                                                      104.21.16.12N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                          IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        gravvitywio.storeN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        steamcommunity.comN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        b222.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        CLOUDFLARENETUSN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        35Mcl9DxHR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 172.67.178.253
                                                                                                                                                        N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.188.210
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 172.67.209.193
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 172.67.140.92
                                                                                                                                                        l5pPoBu9i3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 172.67.178.253
                                                                                                                                                        AKAMAI-ASUSN65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        eEu5xPVQUo.exeGet hashmaliciousRhysidaBrowse
                                                                                                                                                        • 96.17.64.189
                                                                                                                                                        62-3590.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 96.17.64.189

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        IGAnbXyZVx.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        N65c8rwdal.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        BW4pTs1x3V.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        7wN7BF7WfX.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12
                                                                                                                                                        FA_41_09_2024_.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 104.21.16.12

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        No created / dropped files found

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                        Entropy (8bit):4.830729905091574
                                                                                                                                                        TrID:
                                                                                                                                                        • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                        • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                        File name:EKAHephXb2.exe
                                                                                                                                                        File size:14'931'192 bytes
                                                                                                                                                        MD5:6cf54ce259904e8ee54d521a8c85aff1
                                                                                                                                                        SHA1:7ebab8469454f1954b8fec645b921f316eda9ddc
                                                                                                                                                        SHA256:c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf
                                                                                                                                                        SHA512:b55625ef2a266706ff2fae5cd0188ef96eb387ca7ccb94bc4e443d12cfe3b96a1e74d0324905ea0614be70d41b9afb0141ba04c9b0a44c5ac3410e03c71054fa
                                                                                                                                                        SSDEEP:98304:UK2GjzKGnxmpstkpzqEDfeIoUZJx1Jn0F:RjzKGnxmpsi3D/oUZbQ
                                                                                                                                                        TLSH:82E62743F9A184E8D1EAE234842682527B71BC488B3477D73E60F7682F76BD49E78750
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..G......*.............@.............................@............`... ............................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:72d280daeaea9282

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0x1400014c0
                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                        Digitally signed:true
                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                        TLS Callbacks:0x40473380, 0x1, 0x40473350, 0x1, 0x40476df0, 0x1
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:6
                                                                                                                                                        OS Version Minor:1
                                                                                                                                                        File Version Major:6
                                                                                                                                                        File Version Minor:1
                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                        Import Hash:c595f1660e1a3c84f4d9b0761d23cd7a

                                                                                                                                                        Authenticode Signature

                                                                                                                                                        Signature Valid:true
                                                                                                                                                        Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                                                        Error Number:0
                                                                                                                                                        Not Before, Not After
                                                                                                                                                        • 09/09/2024 05:06:13 09/09/2025 05:06:12
                                                                                                                                                        Subject Chain
                                                                                                                                                        • CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                                                                                                                                        Version:3
                                                                                                                                                        Thumbprint MD5:62A1343435FC5131E11FA8C871BB3A1B
                                                                                                                                                        Thumbprint SHA-1:A3AFF46C5F8E2A1F750C570698B864E75553E61F
                                                                                                                                                        Thumbprint SHA-256:87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
                                                                                                                                                        Serial:332576FE101609502C23F70055B4A3BE

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        dec eax
                                                                                                                                                        sub esp, 28h
                                                                                                                                                        dec eax
                                                                                                                                                        mov eax, dword ptr [00DD48B5h]
                                                                                                                                                        mov dword ptr [eax], 00000001h
                                                                                                                                                        call 00007F75E1086C8Fh
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        dec eax
                                                                                                                                                        add esp, 28h
                                                                                                                                                        ret
                                                                                                                                                        nop dword ptr [eax]
                                                                                                                                                        dec eax
                                                                                                                                                        sub esp, 28h
                                                                                                                                                        dec eax
                                                                                                                                                        mov eax, dword ptr [00DD4895h]
                                                                                                                                                        mov dword ptr [eax], 00000000h
                                                                                                                                                        call 00007F75E1086C6Fh
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        dec eax
                                                                                                                                                        add esp, 28h
                                                                                                                                                        ret
                                                                                                                                                        nop dword ptr [eax]
                                                                                                                                                        dec eax
                                                                                                                                                        sub esp, 28h
                                                                                                                                                        call 00007F75E1503C2Ch
                                                                                                                                                        dec eax
                                                                                                                                                        test eax, eax
                                                                                                                                                        sete al
                                                                                                                                                        movzx eax, al
                                                                                                                                                        neg eax
                                                                                                                                                        dec eax
                                                                                                                                                        add esp, 28h
                                                                                                                                                        ret
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        dec eax
                                                                                                                                                        lea ecx, dword ptr [00000009h]
                                                                                                                                                        jmp 00007F75E1086FA9h
                                                                                                                                                        nop dword ptr [eax+00h]
                                                                                                                                                        ret
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        nop
                                                                                                                                                        jmp dword ptr [eax]
                                                                                                                                                        inc edi
                                                                                                                                                        outsd
                                                                                                                                                        and byte ptr [edx+75h], ah
                                                                                                                                                        imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                                                                                        and ch, byte ptr [edx+56h]
                                                                                                                                                        bound esi, dword ptr [esi]
                                                                                                                                                        push ebx
                                                                                                                                                        imul eax, dword ptr [ecx+58h], 58504878h
                                                                                                                                                        xor eax, 6F37335Fh
                                                                                                                                                        jbe 00007F75E1087014h
                                                                                                                                                        pop edi
                                                                                                                                                        das
                                                                                                                                                        inc esi
                                                                                                                                                        xor bl, byte ptr [eax+4Ah]
                                                                                                                                                        jno 00007F75E1087048h
                                                                                                                                                        dec ebx
                                                                                                                                                        push edi
                                                                                                                                                        xor byte ptr [edx+75h], bl
                                                                                                                                                        popad
                                                                                                                                                        inc ecx
                                                                                                                                                        inc ebp
                                                                                                                                                        dec ecx
                                                                                                                                                        xor al, 59h
                                                                                                                                                        jno 00007F75E1087014h
                                                                                                                                                        dec eax
                                                                                                                                                        das
                                                                                                                                                        inc ebx
                                                                                                                                                        outsd
                                                                                                                                                        imul esi, dword ptr [ecx], 4D717044h
                                                                                                                                                        dec ecx
                                                                                                                                                        xor eax, 76324656h

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xe820000x4e.edata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe830000x1458.idata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe870000x33f37.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xdd70000x16f08.pdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xe3ac000x28f8.bss
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xebb0000x18444.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xdd56e00x28.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xe834940x458.idata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000x47d9200x47da0027639484d6b4fd263d96f43eb0443cc9unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0x47f0000x656300x658007a3d1f08862f32438a0ca4bf87947330False0.3186768780788177dBase III DBT, version number 0, next free block index 10, 1st item "v1.55.5\011h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU="4.749889327624667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .rdata0x4e50000x8f15300x8f160088e86c504a8b4fdbb7152476181d4217unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                        .pdata0xdd70000x16f080x1700090b818f56df6142d7b94831b08d83bf2False0.4005073879076087data5.614854376371168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                        .xdata0xdee0000xc600xe00f2508531996480262c64bae3c9847688False0.2592075892857143data3.9907836852218073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                        .bss0xdef0000x929400x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .edata0xe820000x4e0x20065d8bd324a4202b0eb24be92fc3f05e7False0.1328125data0.8387805141107897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                                                                                        .idata0xe830000x14580x16008143fc91ba82984bf7904c00dc334661False0.2979403409090909data4.330348852151198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .CRT0xe850000x700x200a39c638c7af9362556ef51f04516fbf3False0.08203125data0.47139462148086453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .tls0xe860000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .rsrc0xe870000x33f370x34000d774dfb232a96941c11db519b165f705False0.11916879507211539data4.062299694259735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .reloc0xebb0000x184440x186006522fe013e61a1c70af63cd04b5c16dfFalse0.23966346153846155data5.437380138681292IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                        RT_ICON0xe871680x3334cDevice independent bitmap graphic, 225 x 450 x 32, image size 2025000.11429388767044912
                                                                                                                                                        RT_GROUP_ICON0xeba4b40x14data1.2
                                                                                                                                                        RT_VERSION0xeba4c80x348dataEnglishUnited States0.42738095238095236
                                                                                                                                                        RT_MANIFEST0xeba8100x727XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4265428727471327

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                                                                                        msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                                                                                                                        Exports

                                                                                                                                                        NameOrdinalAddress
                                                                                                                                                        _cgo_dummy_export10x140e80b70

                                                                                                                                                        Possible Origin

                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                        EnglishUnited States

                                                                                                                                                        Network Behavior

                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                        2024-10-02T15:04:59.984970+02002055891ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop)1192.168.2.9591731.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.174781+02002055881ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop)1192.168.2.9635931.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.186584+02002055883ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop)1192.168.2.9609871.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.202113+02002055893ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop)1192.168.2.9605391.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.219342+02002055887ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop)1192.168.2.9512171.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.232835+02002055885ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop)1192.168.2.9511491.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.248127+02002055879ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop)1192.168.2.9502131.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:00.259045+02002055895ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop)1192.168.2.9492841.1.1.153UDP
                                                                                                                                                        2024-10-02T15:05:02.469562+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949714104.21.16.12443TCP
                                                                                                                                                        2024-10-02T15:05:02.469562+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949714104.21.16.12443TCP

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 2, 2024 15:05:00.286151886 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:00.286205053 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.286276102 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:00.289611101 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:00.289638996 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.929264069 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.929341078 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:00.932215929 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:00.932240009 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.932472944 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.986675978 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:00.988133907 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.035406113 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420403957 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420423985 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420430899 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420453072 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420465946 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420469999 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.420501947 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.420520067 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.420520067 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.420545101 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.519568920 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.519599915 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.519682884 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.519718885 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.519938946 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.525491953 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.525597095 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.525621891 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.525639057 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.525684118 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.526659966 CEST49713443192.168.2.9104.102.49.254
                                                                                                                                                        Oct 2, 2024 15:05:01.526678085 CEST44349713104.102.49.254192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.545108080 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:01.545156002 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.545229912 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:01.545547962 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:01.545567036 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.006975889 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.007057905 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.008430004 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.008440018 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.008651018 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.009782076 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.009802103 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.009841919 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.469424963 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.469495058 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.469561100 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.469729900 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.469744921 CEST44349714104.21.16.12192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:02.469764948 CEST49714443192.168.2.9104.21.16.12
                                                                                                                                                        Oct 2, 2024 15:05:02.469769955 CEST44349714104.21.16.12192.168.2.9

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 2, 2024 15:04:59.984970093 CEST5917353192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.171308041 CEST53591731.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.174781084 CEST6359353192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.184256077 CEST53635931.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.186583996 CEST6098753192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.198352098 CEST53609871.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.202112913 CEST6053953192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.216495991 CEST53605391.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.219341993 CEST5121753192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.231165886 CEST53512171.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.232835054 CEST5114953192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.242408037 CEST53511491.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.248126984 CEST5021353192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.257658005 CEST53502131.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.259044886 CEST4928453192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.268677950 CEST53492841.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:00.270220995 CEST5768353192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:00.280997992 CEST53576831.1.1.1192.168.2.9
                                                                                                                                                        Oct 2, 2024 15:05:01.537107944 CEST6121053192.168.2.91.1.1.1
                                                                                                                                                        Oct 2, 2024 15:05:01.544358969 CEST53612101.1.1.1192.168.2.9

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                        Oct 2, 2024 15:04:59.984970093 CEST192.168.2.91.1.1.10xd0fcStandard query (0)tendencctywop.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.174781084 CEST192.168.2.91.1.1.10x5e01Standard query (0)keennylrwmqlw.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.186583996 CEST192.168.2.91.1.1.10x401eStandard query (0)licenseodqwmqn.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.202112913 CEST192.168.2.91.1.1.10x63ffStandard query (0)tesecuuweqo.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.219341993 CEST192.168.2.91.1.1.10x6fe4Standard query (0)relaxatinownio.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.232835054 CEST192.168.2.91.1.1.10x6f9dStandard query (0)reggwardssdqw.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.248126984 CEST192.168.2.91.1.1.10xfcebStandard query (0)eemmbryequo.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.259044886 CEST192.168.2.91.1.1.10x6eb3Standard query (0)tryyudjasudqo.shopA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.270220995 CEST192.168.2.91.1.1.10x48d7Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:01.537107944 CEST192.168.2.91.1.1.10x6bd9Standard query (0)gravvitywio.storeA (IP address)IN (0x0001)false

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                        Oct 2, 2024 15:05:00.171308041 CEST1.1.1.1192.168.2.90xd0fcName error (3)tendencctywop.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.184256077 CEST1.1.1.1192.168.2.90x5e01Name error (3)keennylrwmqlw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.198352098 CEST1.1.1.1192.168.2.90x401eName error (3)licenseodqwmqn.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.216495991 CEST1.1.1.1192.168.2.90x63ffName error (3)tesecuuweqo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.231165886 CEST1.1.1.1192.168.2.90x6fe4Name error (3)relaxatinownio.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.242408037 CEST1.1.1.1192.168.2.90x6f9dName error (3)reggwardssdqw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.257658005 CEST1.1.1.1192.168.2.90xfcebName error (3)eemmbryequo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.268677950 CEST1.1.1.1192.168.2.90x6eb3Name error (3)tryyudjasudqo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:00.280997992 CEST1.1.1.1192.168.2.90x48d7No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:01.544358969 CEST1.1.1.1192.168.2.90x6bd9No error (0)gravvitywio.store104.21.16.12A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 2, 2024 15:05:01.544358969 CEST1.1.1.1192.168.2.90x6bd9No error (0)gravvitywio.store172.67.209.193A (IP address)IN (0x0001)false

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • steamcommunity.com
                                                                                                                                                        • gravvitywio.store

                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.2.949713104.102.49.2544437616C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-02 13:05:00 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                        2024-10-02 13:05:01 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                        Date: Wed, 02 Oct 2024 13:05:01 GMT
                                                                                                                                                        Content-Length: 34837
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: sessionid=19494ceecad7d9d584ec9c17; Path=/; Secure; SameSite=None
                                                                                                                                                        Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                        2024-10-02 13:05:01 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                        2024-10-02 13:05:01 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                        Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                        2024-10-02 13:05:01 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                        Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                        2024-10-02 13:05:01 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                        Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        1192.168.2.949714104.21.16.124437616C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-02 13:05:02 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: gravvitywio.store
                                                                                                                                                        2024-10-02 13:05:02 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-02 13:05:02 UTC780INHTTP/1.1 200 OK
                                                                                                                                                        Date: Wed, 02 Oct 2024 13:05:02 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=rl3vni8n12u932bp03n48aaole; expires=Sun, 26 Jan 2025 06:51:41 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3L0cAhyFRmRQ9ElLKllPwH0hvZYS7Ql26N8XK%2F%2BsIP%2BHuRqvN4cNAE%2BspDvR2bnh0RjSkWgPjrEBPyIpY%2Bbn9Ty24va8IEyZ8GypGgyymN%2FHL7Veooy2H8NyB5m5GLOSEVL8Yw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8cc4e6d41ea0de9a-EWR
                                                                                                                                                        2024-10-02 13:05:02 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-02 13:05:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:09:04:12
                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                        Path:C:\Users\user\Desktop\EKAHephXb2.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EKAHephXb2.exe"
                                                                                                                                                        Imagebase:0x7ff6cc510000
                                                                                                                                                        File size:14'931'192 bytes
                                                                                                                                                        MD5 hash:6CF54CE259904E8EE54D521A8C85AFF1
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:Go lang
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1798475742.00000145E3200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1822185696.00000145E31A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1826819388.000000C0009F8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1825888626.000000C000644000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                        • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1831653920.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1357843651.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:3
                                                                                                                                                        Start time:09:04:59
                                                                                                                                                        Start date:02/10/2024
                                                                                                                                                        Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        Imagebase:0x860000
                                                                                                                                                        File size:231'736 bytes
                                                                                                                                                        MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        Disassembly

                                                                                                                                                        Reset < >

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:1.3%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:42.5%
                                                                                                                                                          Total number of Nodes:40
                                                                                                                                                          Total number of Limit Nodes:3
                                                                                                                                                          execution_graph 18686 452844 18687 45284e 18686->18687 18690 45292e 18687->18690 18693 451c60 LdrInitializeThunk 18687->18693 18689 452a4e 18690->18689 18692 451c60 LdrInitializeThunk 18690->18692 18692->18689 18693->18690 18707 41cd30 18708 41cd39 18707->18708 18709 41cd41 GetInputState 18708->18709 18710 41cfa3 ExitProcess 18708->18710 18711 41cd4e 18709->18711 18712 41cd56 GetCurrentThreadId GetCurrentProcessId 18711->18712 18713 41cf9e 18711->18713 18715 41cd81 18712->18715 18720 451b50 18713->18720 18715->18713 18719 420e60 CoInitialize 18715->18719 18723 453160 18720->18723 18722 451b55 FreeLibrary 18722->18710 18724 453169 18723->18724 18724->18722 18694 4521e2 18695 4521f8 18694->18695 18696 45225e 18695->18696 18701 451c60 LdrInitializeThunk 18695->18701 18700 451c60 LdrInitializeThunk 18696->18700 18699 452346 18700->18699 18701->18696 18730 451b92 18731 451c2d 18730->18731 18734 451ba0 18730->18734 18736 44e8e0 18731->18736 18733 451c33 18734->18733 18735 451c17 RtlReAllocateHeap 18734->18735 18735->18733 18737 44e901 18736->18737 18738 44e949 RtlAllocateHeap 18736->18738 18737->18738 18738->18733 18739 44e998 18740 44e9a4 RtlFreeHeap 18739->18740 18741 44ea40 18739->18741 18740->18741 18741->18741 18702 45210b 18704 452138 18702->18704 18703 45219e 18704->18703 18706 451c60 LdrInitializeThunk 18704->18706 18706->18703

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0041F3E0 Relevance: 15.4, Strings: 12, Instructions: 389COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 41f3e0-41f465 1 41f470-41f478 0->1 1->1 2 41f47a-41f4a6 1->2 4 41f4b4-41f6ec 2->4 5 41f4ad-41f4af 2->5 7 41f727-41f73c 4->7 8 41f6ee-41f6ef 4->8 6 41fa62-41fa69 5->6 11 41f743-41f747 7->11 12 41f803 7->12 13 41f825-41f827 7->13 14 41f964-41f974 7->14 15 41f947-41f95d 7->15 16 41f7e9-41f7ed 7->16 17 41f829-41f842 7->17 18 41f74c-41f7e2 call 41c590 7->18 19 41f810 7->19 20 41f7f2-41f7fa 7->20 21 41f816-41f81e 7->21 22 41f916-41f91a 7->22 23 41fa38 7->23 24 41f91f-41f940 7->24 9 41f6f0-41f725 8->9 9->7 9->9 25 41fa53-41fa5f 11->25 12->19 28 41f88f-41f8ad 13->28 14->23 15->14 15->23 27 41fa4a 16->27 29 41f844 17->29 30 41f88c 17->30 18->12 18->13 18->14 18->15 18->16 18->17 18->19 18->20 18->21 18->22 18->23 18->24 20->12 21->13 21->14 21->15 21->17 21->22 21->23 21->24 31 41fa41 22->31 23->31 24->14 24->15 24->23 25->6 27->25 32 41f8f6-41f90f 28->32 33 41f8af 28->33 37 41f850-41f88a 29->37 30->28 31->27 32->14 32->15 32->22 32->23 32->24 38 41f8b0-41f8f4 33->38 37->30 37->37 38->32 38->38
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ++)$/W+U$/kJi$D{?y$['O%$\#^!$_;\9$e?A=$lCzA$o/^-$|S.Q$}KxI
                                                                                                                                                          • API String ID: 0-931747256
                                                                                                                                                          • Opcode ID: f5f56df9342fcd1a9cd2fb18e6fac8a62c68859c57b4f18fc8facd74345dfb02
                                                                                                                                                          • Instruction ID: 49036b443f29988aa3e0e3c927521378c4053922764103fcfd2da94d6bcf0724
                                                                                                                                                          • Opcode Fuzzy Hash: f5f56df9342fcd1a9cd2fb18e6fac8a62c68859c57b4f18fc8facd74345dfb02
                                                                                                                                                          • Instruction Fuzzy Hash: F6F135B5101B018FD334CF26C895B97BBF2FB88315F158A2CD5AA8BA90D7B4A445CF85
                                                                                                                                                          Function 0041FA80 Relevance: 11.5, Strings: 9, Instructions: 254COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 41 41fa80-41fcde 42 41fce0-41fd23 41->42 43 41fd25-41fd3f 41->43 42->42 42->43 44 41fd42-41fd4d 43->44 45 41fd54-41fd5d 44->45 46 41fd89-41fdab 44->46 47 41fe18-41fe3a 44->47 48 41fe0f-41fe13 44->48 45->46 49 41fdad-41fdaf 46->49 50 41fdee-41fe08 46->50 52 41fe7b-41feb4 47->52 53 41fe3c-41fe3f 47->53 51 420350-420365 48->51 54 41fdb0-41fdec 49->54 50->47 50->48 62 420391-4203a2 51->62 63 4203a4 51->63 64 4203ab 51->64 56 41feb6 52->56 57 41ff0f-41ff2f 52->57 55 41fe40-41fe79 53->55 54->50 54->54 55->52 55->55 58 41fec0-41ff0d 56->58 57->45 57->46 57->47 57->48 57->51 58->57 58->58 62->51 63->64 66 4203b2 64->66 66->66
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: _]$3K:I$:W&U$F3O1$J?>=$U7O5$W[$]+Q)$[ Y
                                                                                                                                                          • API String ID: 0-530895100
                                                                                                                                                          • Opcode ID: e1d34efcca7db37855918542ef890547264a481a4b70ed4dcdc34c7986943a26
                                                                                                                                                          • Instruction ID: 271cd6e182c93c7386f7e427a1129d538f99ec81da1b273cd7f58dc36afccb47
                                                                                                                                                          • Opcode Fuzzy Hash: e1d34efcca7db37855918542ef890547264a481a4b70ed4dcdc34c7986943a26
                                                                                                                                                          • Instruction Fuzzy Hash: 0DC120B51083809BD324DF15C980B9FBBF6EB95700F158A2CE6C96B251D7B4A846CF87
                                                                                                                                                          Function 0041CD30 Relevance: 6.2, APIs: 4, Instructions: 202threadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 67 41cd30-41cd3b call 450a80 70 41cd41-41cd50 GetInputState call 448510 67->70 71 41cfa3-41cfa5 ExitProcess 67->71 74 41cd56-41cd7f GetCurrentThreadId GetCurrentProcessId 70->74 75 41cf9e call 451b50 70->75 77 41cd81 74->77 78 41cdd3-41cdf5 74->78 75->71 79 41cd90-41cdd1 77->79 80 41cdf7 78->80 81 41ce39-41ce3b 78->81 79->78 79->79 84 41ce00-41ce37 80->84 82 41ce41-41ce5b 81->82 83 41cf19-41cf36 81->83 85 41ceb0-41ced5 82->85 86 41ce5d-41ce5f 82->86 87 41cf38 83->87 88 41cf8b call 41e020 83->88 84->81 84->84 85->83 90 41ced7 85->90 89 41ce60-41ceae 86->89 91 41cf40-41cf89 87->91 94 41cf90-41cf92 88->94 89->85 89->89 93 41cee0-41cf17 90->93 91->88 91->91 93->83 93->93 94->75 95 41cf94-41cf99 call 420e60 call 41fa70 94->95 95->75
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentProcess$ExitInputStateThread
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029096631-0
                                                                                                                                                          • Opcode ID: b7b90a192c43b6f0d4c73386c068b3e4a9edc03558faba2bd755775010bd2da6
                                                                                                                                                          • Instruction ID: 70dc50ac7719a2fa17f309c0c24034b83de819d401ea5ab27c2a43cad3b59415
                                                                                                                                                          • Opcode Fuzzy Hash: b7b90a192c43b6f0d4c73386c068b3e4a9edc03558faba2bd755775010bd2da6
                                                                                                                                                          • Instruction Fuzzy Hash: 1F61487560C2409BD305EF28D990A1EBBE2EBA5700F19892EE4C9C7352D739DC91CB56
                                                                                                                                                          Function 0041FF36 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 124 41ff36-41ff52 125 4202c2-4202d6 124->125 126 420062-4200c9 124->126 127 41ff60 124->127 128 4202a3-4202b8 124->128 129 4202c0 124->129 130 420300-420309 124->130 131 41ff62 124->131 132 420327-420338 124->132 133 4202eb 124->133 134 42030f-420318 124->134 135 4202f1-4202fa 124->135 136 41ff59-41ff5b 124->136 137 42031f 124->137 138 42017d-4201e4 124->138 166 4202dd-4202e4 125->166 155 4200cb 126->155 156 42010c-420116 126->156 127->131 128->129 129->125 130->134 149 41ff6c-41ff73 131->149 141 420340 132->141 133->135 134->132 134->137 139 41ffe0-41fff3 134->139 140 41ffa0-41ffc5 134->140 134->141 142 420020-420025 134->142 143 420040-42004b call 451b70 134->143 144 420000-420007 134->144 145 41ff84-41ff88 134->145 146 42004e-420059 call 451b70 134->146 147 42000e-420013 134->147 148 41ffcc 134->148 134->149 150 42002c-420031 134->150 151 41fffa 134->151 152 41ff7a 134->152 135->130 136->127 137->132 153 4201e6 138->153 154 42022c-420238 138->154 139->140 139->143 139->144 139->145 139->146 139->147 139->148 139->149 139->151 139->152 140->145 140->148 140->149 140->152 141->141 142->150 143->146 144->140 144->145 144->147 144->148 144->149 144->152 145->140 146->126 147->142 147->145 147->148 147->149 147->152 149->145 149->152 174 420038 150->174 151->144 152->145 163 4201f0-42022a 153->163 164 420251-420260 154->164 165 42023a-42023f 154->165 160 4200d0-42010a 155->160 161 420131-420140 156->161 162 420118-42011c 156->162 160->156 160->160 168 420142-420144 161->168 169 420165-420176 161->169 177 420120-42012f 162->177 163->154 163->163 172 420262-420264 164->172 173 420285-42029d 164->173 171 420240-42024f 165->171 166->130 166->132 166->133 166->134 166->135 166->137 166->139 166->140 166->141 166->142 166->143 166->144 166->145 166->146 166->147 166->148 166->149 166->150 166->151 166->152 178 420150-420161 168->178 169->138 171->164 171->171 179 420270-420281 172->179 173->128 174->143 177->161 177->177 178->178 180 420163 178->180 179->179 181 420283 179->181 180->169 181->173
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 47
                                                                                                                                                          • API String ID: 0-1112425479
                                                                                                                                                          • Opcode ID: 48407a84c29cb20b49ef5f601fc0e0c6ce236ef539891f557817b7f10f3863e2
                                                                                                                                                          • Instruction ID: 1f427d304f0647e18c09f324250426f206e4e3119660b3e267d585edf26f09e1
                                                                                                                                                          • Opcode Fuzzy Hash: 48407a84c29cb20b49ef5f601fc0e0c6ce236ef539891f557817b7f10f3863e2
                                                                                                                                                          • Instruction Fuzzy Hash: EEA155B1108301DFD304DF25E890A2BBBF5EF89316F04896DF88987262E778D955CB5A
                                                                                                                                                          Function 00451C60 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 187 451c60-451c92 LdrInitializeThunk
                                                                                                                                                          APIs
                                                                                                                                                          • LdrInitializeThunk.NTDLL(004554DC,005C003F,00000006,?,?,00000018,94959A9B,?,?), ref: 00451C8E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                          • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                          • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                          • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                          Function 00452844 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 188 452844-452859 call 450760 191 452871-4528c1 188->191 192 45285b-45285e 188->192 194 452907-45290e 191->194 195 4528c3 191->195 193 452860-45286f 192->193 193->191 193->193 196 452910-45291b 194->196 197 45294f-452964 call 450760 194->197 198 4528d0-452905 195->198 199 452920-452927 196->199 206 452966-45296b 197->206 207 452981-4529eb 197->207 198->194 198->198 201 452930-452936 199->201 202 452929-45292c 199->202 201->197 205 452938-45294c call 451c60 201->205 202->199 204 45292e 202->204 204->197 205->197 209 452970-45297f 206->209 210 452a27-452a32 207->210 211 4529ed-4529ef 207->211 209->207 209->209 213 452a75-452a88 210->213 214 452a34-452a3f 210->214 212 4529f0-452a25 211->212 212->210 212->212 216 452a40-452a47 214->216 217 452a53-452a5c 216->217 218 452a49-452a4c 216->218 217->213 220 452a5e-452a6d call 451c60 217->220 218->216 219 452a4e-452a51 218->219 219->213 222 452a72 220->222 222->213
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: @
                                                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                                                          • Opcode ID: be4c001c0f3a90c001ad7bb9045242525751572264af7759edc85055dcb86075
                                                                                                                                                          • Instruction ID: 9b7abcd93900c70311db8a24e574e8b9275ec013b4d618913e76b6c2940d5305
                                                                                                                                                          • Opcode Fuzzy Hash: be4c001c0f3a90c001ad7bb9045242525751572264af7759edc85055dcb86075
                                                                                                                                                          • Instruction Fuzzy Hash: 4F6191B0A002198FDB14CF54C9917BFB7B2FF59305F18801AD901AB366E379AD15CBA9
                                                                                                                                                          Function 0045259A Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 248 45259a-4525c5 249 452607-452612 248->249 250 4525c7 248->250 252 452664-452680 249->252 253 452614-45261f 249->253 251 4525d0-452605 250->251 251->249 251->251 254 452620-452627 253->254 255 452633-45263c 254->255 256 452629-45262c 254->256 255->252 257 45263e-45265c call 451c60 255->257 256->254 258 45262e-452631 256->258 260 452661 257->260 258->252 260->252
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %sgh
                                                                                                                                                          • API String ID: 0-2311733779
                                                                                                                                                          • Opcode ID: e74d144db168266885ca29bcbe0232159fcf435d5961c7b11c60cbc128c0cb2d
                                                                                                                                                          • Instruction ID: 8c3a2d6add3ac19f3e0d0d0223700f066ffc019949632e526ce27837e123c50d
                                                                                                                                                          • Opcode Fuzzy Hash: e74d144db168266885ca29bcbe0232159fcf435d5961c7b11c60cbc128c0cb2d
                                                                                                                                                          • Instruction Fuzzy Hash: 5221A635E002199FDB10CF98C941BAEB7B2FB46701F654116E911B7391D3B1BE05CB98
                                                                                                                                                          Function 0041FA1F Relevance: .2, Instructions: 220COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 274 41fa1f-41fa31 275 41f990-41f9a5 call 451b70 274->275 276 41f9e0 274->276 277 41f9e2 274->277 278 41f9f5-41f9fa 274->278 279 41fd54-41fd5d 274->279 280 41f9e9-41f9ec 274->280 281 41fd89-41fdab 274->281 282 41fa38 274->282 283 41fe18-41fe3a 274->283 284 41f9ac-41f9cd 274->284 285 41fe0f-41fe13 274->285 275->276 275->277 275->278 275->279 275->280 275->281 275->282 275->284 276->277 277->279 277->280 277->281 277->282 288 41f9cf-41f9d5 278->288 279->281 280->278 286 41fdad-41fdaf 281->286 287 41fdee-41fe08 281->287 295 41fa41-41fa69 282->295 290 41fe7b-41feb4 283->290 291 41fe3c-41fe3f 283->291 284->288 289 420350-420365 285->289 294 41fdb0-41fdec 286->294 287->283 287->285 288->276 304 420391-4203a2 289->304 305 4203a4 289->305 306 4203ab 289->306 298 41feb6 290->298 299 41ff0f-41ff2f 290->299 296 41fe40-41fe79 291->296 294->287 294->294 296->290 296->296 300 41fec0-41ff0d 298->300 299->279 299->281 299->283 299->285 299->289 300->299 300->300 304->289 305->306 310 4203b2 306->310 310->310
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1186b1032d364957fd9c8153d6ef55906090ff67cf76ac78f51f8f02748703c9
                                                                                                                                                          • Instruction ID: c53fbffbf4a5cfca03b088f70957c755bb7b9893064fecdcb79c6f487741acad
                                                                                                                                                          • Opcode Fuzzy Hash: 1186b1032d364957fd9c8153d6ef55906090ff67cf76ac78f51f8f02748703c9
                                                                                                                                                          • Instruction Fuzzy Hash: 13717B72508300DFD324DF64D88066BBBF6EB89311F09892DE98A93262D774EC55CB86
                                                                                                                                                          Function 00451B92 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 105 451b92-451b99 106 451ba0-451ba7 105->106 107 451c2d-451c2e call 44e8e0 105->107 109 451bae-451bc3 106->109 110 451c38-451c41 call 44e970 106->110 111 451c33-451c36 107->111 113 451bc5 109->113 114 451c17-451c2b RtlReAllocateHeap 109->114 115 451c43 110->115 116 451c46-451c48 111->116 118 451bd0-451c15 113->118 114->115 115->116 118->114 118->118
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 9>?
                                                                                                                                                          • API String ID: 0-4148619561
                                                                                                                                                          • Opcode ID: 786046ce91eb2b1a929eec8c8952b5af7f3cf2414413d6c40b684358ec24ba57
                                                                                                                                                          • Instruction ID: 054137d52b5c52f6caa0c88096c7831e16e3aa3b88e323dd401c7a1bc6bee4c2
                                                                                                                                                          • Opcode Fuzzy Hash: 786046ce91eb2b1a929eec8c8952b5af7f3cf2414413d6c40b684358ec24ba57
                                                                                                                                                          • Instruction Fuzzy Hash: 17113A75909310CBE314AF19D94171AB793AFC5306F08CE2DD8C453319D27AEC45C683
                                                                                                                                                          Function 0044E998 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 119 44e998-44e99d 120 44e9a4-44e9be 119->120 121 44ea40 119->121 122 44e9c0-44ea20 120->122 123 44ea22-44ea35 RtlFreeHeap 120->123 121->121 122->122 122->123 123->121
                                                                                                                                                          APIs
                                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000), ref: 0044EA2F
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                          • String ID: FD
                                                                                                                                                          • API String ID: 3298025750-1901455307
                                                                                                                                                          • Opcode ID: 0fdc43503a8ad3f57f4836a152fb9e475052957f75c191d69b8c05aa931641c7
                                                                                                                                                          • Instruction ID: e551385f9902787493755ee05f5b30d339c679c890efe7d52f876232ab7502b5
                                                                                                                                                          • Opcode Fuzzy Hash: 0fdc43503a8ad3f57f4836a152fb9e475052957f75c191d69b8c05aa931641c7
                                                                                                                                                          • Instruction Fuzzy Hash: B911A0B560C2008BD70DDF15D96072AB7E2ABD5305F29CA6CD4C6473A5CA349812CB46
                                                                                                                                                          Function 0044E8E0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 183 44e8e0-44e8ff 184 44e901 183->184 185 44e949-44e963 RtlAllocateHeap 183->185 186 44e910-44e947 184->186 186->185 186->186
                                                                                                                                                          APIs
                                                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000,?,?,?,004560FC,?), ref: 0044E95A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                          • Opcode ID: 858bc18d236ac92f74f19951d9486866c67f704c721e953bc6ed1c937e85e1ac
                                                                                                                                                          • Instruction ID: cbba98d53bba190b3da556fd89b2f2fb9957f4c85a9dd9453aa459d6a9e8f5a5
                                                                                                                                                          • Opcode Fuzzy Hash: 858bc18d236ac92f74f19951d9486866c67f704c721e953bc6ed1c937e85e1ac
                                                                                                                                                          • Instruction Fuzzy Hash: 1B01E4702082419BD305EF18C590A1ABBE1FB99700F548D5DE4C5872A2D23AEC65CB56

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0042BCC5 Relevance: 45.3, Strings: 35, Instructions: 1552COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: !"#$ !"l$#"! $$%&h$($(fed$,-.$0123$0123$<=>?$?>=<$@ABC$DEFG$GFED$HIJK$LMNO$LMNO$PQRS$PQRS$SRQP$TUVW$TUVW$Tk$XYZ[$`abc$cba/$defg$h$hABC$hijk$tuvw$wvut$xyz{${567${?Z1
                                                                                                                                                          • API String ID: 0-3305218618
                                                                                                                                                          • Opcode ID: 4b89d460b78324f3e1457da59078bdc0ddbdb3bd99ad8dc0b04799cbeecfcb48
                                                                                                                                                          • Instruction ID: d1aa8b643424e4835b237762a0c49a2c7cd7c1714d665a2fcf7d62f5bce7f345
                                                                                                                                                          • Opcode Fuzzy Hash: 4b89d460b78324f3e1457da59078bdc0ddbdb3bd99ad8dc0b04799cbeecfcb48
                                                                                                                                                          • Instruction Fuzzy Hash: 61D266B06083918BE720DF18D884BAFBBF1FFC5344F54892EE4998B251D7399845CB96
                                                                                                                                                          Function 00435EA0 Relevance: 30.9, Strings: 24, Instructions: 937COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: w"u$#{/y$5g e$<k2i$CN$Fs8q$Mx$S{$a=}?$b?g9$c#t%$c1m3$d7e9$h;n=$s3b5$s3l=$sx${y$|v$~+V-$~?l!$-/$9;$=?
                                                                                                                                                          • API String ID: 0-3545685031
                                                                                                                                                          • Opcode ID: 2fad3a659d5c5541de2af27c2862927c52f4b037bd43c41292888056447c6db8
                                                                                                                                                          • Instruction ID: 8ab496a0b3dc24378b6ac767c22d01fbe5061bbc2d94e427230fde42d99ff7c0
                                                                                                                                                          • Opcode Fuzzy Hash: 2fad3a659d5c5541de2af27c2862927c52f4b037bd43c41292888056447c6db8
                                                                                                                                                          • Instruction Fuzzy Hash: 32B21DB4901B55CFE724CF2AD98079ABBF1FB05304F508A5CD0AAABB51C774A486CF85
                                                                                                                                                          Function 0043D7E0 Relevance: 21.2, APIs: 2, Strings: 8, Instructions: 3667COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 6690$:\Bw$AJPP$HWCF$JJCD$MP"T$MaV%$v]kk
                                                                                                                                                          • API String ID: 0-3602916885
                                                                                                                                                          • Opcode ID: 6e36241391bd83a35c955c98b5a62ae743f01ba0c66c562c9680970324c8d117
                                                                                                                                                          • Instruction ID: 75ca100b7ecb0b1478b4a1791c99cc012f187feba46da5e6b46e9eba1f147ff5
                                                                                                                                                          • Opcode Fuzzy Hash: 6e36241391bd83a35c955c98b5a62ae743f01ba0c66c562c9680970324c8d117
                                                                                                                                                          • Instruction Fuzzy Hash: 3B53D170505B818BE329CF35C5A07A3BBE1AF5A305F14896ED4EB87782D739B409CB54
                                                                                                                                                          Function 0042E010 Relevance: 16.2, Strings: 12, Instructions: 1209COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ,+$./ii$GEF~$Kx|E$T$dt|`$i}:i$qw$tu$vn$ym$(
                                                                                                                                                          • API String ID: 0-2308901425
                                                                                                                                                          • Opcode ID: 62eca4acedf3baed05b67ac0e1a35ebabfac4c71cc1f3bf1d41ea3f158f4896f
                                                                                                                                                          • Instruction ID: 88df5ee8f48b56bab514c6c3cc7d0d6d9ce33a45908c7b5031becad76fdfce86
                                                                                                                                                          • Opcode Fuzzy Hash: 62eca4acedf3baed05b67ac0e1a35ebabfac4c71cc1f3bf1d41ea3f158f4896f
                                                                                                                                                          • Instruction Fuzzy Hash: C782CC7160C3508FD314DF29D49066BFBE2AF96304F588E2DE0C58B392E7399945CB9A
                                                                                                                                                          Function 0043946D Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 269fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CopyFileW.KERNEL32(3<<3,31F43FF9,00000000), ref: 0043956A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CopyFile
                                                                                                                                                          • String ID: $TG2$&PiD$/T,^$3<<3$3<<3$4`[b$cK_+$wdML
                                                                                                                                                          • API String ID: 1304948518-2727919925
                                                                                                                                                          • Opcode ID: 45e03523c6845f75b7a035d327ae1c2bff0937aa63dc7966eb29de3e4136fd57
                                                                                                                                                          • Instruction ID: ca69138a189668305d93e0764e258fd252f9cb4813e38b1136fb9675cc4405da
                                                                                                                                                          • Opcode Fuzzy Hash: 45e03523c6845f75b7a035d327ae1c2bff0937aa63dc7966eb29de3e4136fd57
                                                                                                                                                          • Instruction Fuzzy Hash: 62A1A8B5D00219DFDB24CF58D850BAEBBB1FF49301F1440A9E449BB292D774AA41CFA9
                                                                                                                                                          Function 0043948B Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 255fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CopyFileW.KERNEL32(3<<3,31F43FF9,00000000), ref: 0043956A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CopyFile
                                                                                                                                                          • String ID: $TG2$&PiD$/T,^$3<<3$3<<3$4`[b$cK_+$wdML
                                                                                                                                                          • API String ID: 1304948518-2727919925
                                                                                                                                                          • Opcode ID: b6aa96df1678b904b60ec6cec20db8f00c8adbb78f7ed179be14482c37c3d572
                                                                                                                                                          • Instruction ID: 0a6386fa325f45efdf26a84cd1c30383c900ab09ad23e53a4e5a66b957af989f
                                                                                                                                                          • Opcode Fuzzy Hash: b6aa96df1678b904b60ec6cec20db8f00c8adbb78f7ed179be14482c37c3d572
                                                                                                                                                          • Instruction Fuzzy Hash: 1CA1A7B9D00219DFDB24CF58D850BAEBBB1FF89301F1440A9D449AB391D774AA41CFA9
                                                                                                                                                          Function 00433C4D Relevance: 15.0, Strings: 11, Instructions: 1265COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ~$"CC$"GC$%v$BEC$PE$TZ$UA$dGC$tJC${
                                                                                                                                                          • API String ID: 0-2334507809
                                                                                                                                                          • Opcode ID: ed6d2cd2bbf4d426a93cc2220dba6bf90e8379e306ce58c11ddc66ec53e0d9dd
                                                                                                                                                          • Instruction ID: 2f8eda47341fe525b301d3960993603abca4b3409275b64f9071e8c0d8877165
                                                                                                                                                          • Opcode Fuzzy Hash: ed6d2cd2bbf4d426a93cc2220dba6bf90e8379e306ce58c11ddc66ec53e0d9dd
                                                                                                                                                          • Instruction Fuzzy Hash: F6A2DFB5E0021ACFDB14CFA8D890AAEB7B2FF49301F14416DE855AB391D738A951CF94
                                                                                                                                                          Function 00411000 Relevance: 13.0, Strings: 9, Instructions: 1791COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: -$0$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
                                                                                                                                                          • API String ID: 0-706159343
                                                                                                                                                          • Opcode ID: 3da7df43c72dc5c184542d929a179778043b15896403ae765bf15dce41323a54
                                                                                                                                                          • Instruction ID: 82077965fc0e05a0530c78ccb3034e36cb465e863eba303fd04a9366f27da827
                                                                                                                                                          • Opcode Fuzzy Hash: 3da7df43c72dc5c184542d929a179778043b15896403ae765bf15dce41323a54
                                                                                                                                                          • Instruction Fuzzy Hash: E6D2E5716083518FD714CF28C4903ABBBE2ABC9314F188A2EE995D7391D379DD85CB86
                                                                                                                                                          Function 0044B122 Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 502memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(00000001), ref: 0044B1C2
                                                                                                                                                          • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0044B20E
                                                                                                                                                          • SysAllocString.OLEAUT32(09650B65), ref: 0044B28E
                                                                                                                                                          • SysAllocString.OLEAUT32(09650B65), ref: 0044B34F
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0044B3C3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Alloc$BlanketFreeProxy
                                                                                                                                                          • String ID: 4`[b$\_
                                                                                                                                                          • API String ID: 2892228535-3318095926
                                                                                                                                                          • Opcode ID: aa4269017f66bc3064278c975296c18fa1264b08f66de6994d41e78f7beb13b0
                                                                                                                                                          • Instruction ID: 409d13bb1f4c96984df76a676b2f78b3566141fcec03c16d9bc60f363ce3b941
                                                                                                                                                          • Opcode Fuzzy Hash: aa4269017f66bc3064278c975296c18fa1264b08f66de6994d41e78f7beb13b0
                                                                                                                                                          • Instruction Fuzzy Hash: 6F028774608340DFE314DF28D891B2EB7E2FB89705F54882DE5C5872A2DB79D815CB4A
                                                                                                                                                          Function 004443D0 Relevance: 9.1, APIs: 6, Instructions: 116clipboardCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1647500905-0
                                                                                                                                                          • Opcode ID: e59914b03057e0921427343f977ec86f85c0864ac4034d4ebae71ee9385df05a
                                                                                                                                                          • Instruction ID: 89b15b1008024b0e7219c22e43c06132caad40ba6a79140fda528b8e302ec443
                                                                                                                                                          • Opcode Fuzzy Hash: e59914b03057e0921427343f977ec86f85c0864ac4034d4ebae71ee9385df05a
                                                                                                                                                          • Instruction Fuzzy Hash: 2341B4B09087828FDB10AB7C984536FBFE0AB56320F048A6DE4E6873C2D3349905C767
                                                                                                                                                          Function 004203C0 Relevance: 8.1, Strings: 6, Instructions: 602COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 21$6$;9$HI$QyFg$dki
                                                                                                                                                          • API String ID: 0-388788806
                                                                                                                                                          • Opcode ID: 8e4c28ba032a3c0dadea57c0268dad9969cf0b99492ef8a1c0e3e19820dcbb48
                                                                                                                                                          • Instruction ID: c54e067ef221666ab88c7328419614e8ee53da1797c606bbe63257cf88e5bc95
                                                                                                                                                          • Opcode Fuzzy Hash: 8e4c28ba032a3c0dadea57c0268dad9969cf0b99492ef8a1c0e3e19820dcbb48
                                                                                                                                                          • Instruction Fuzzy Hash: 933266B420C381DFD328DF15D8A1B6BBBE1EB85344F54892DE1CA8B261D7389845CB5A
                                                                                                                                                          Function 00434780 Relevance: 7.9, Strings: 6, Instructions: 392COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ~$%v$TZ$UA$tJC${
                                                                                                                                                          • API String ID: 0-442212474
                                                                                                                                                          • Opcode ID: 20b07d47708e833bea6c1aa4eb83c9b3cba26fe7b853dc6429e612a30507a8ad
                                                                                                                                                          • Instruction ID: b7746535db5a27c06371e0f81fa7f0317bad2a9747cbbc1ad7f483b1d57810ad
                                                                                                                                                          • Opcode Fuzzy Hash: 20b07d47708e833bea6c1aa4eb83c9b3cba26fe7b853dc6429e612a30507a8ad
                                                                                                                                                          • Instruction Fuzzy Hash: 2BE1BEF8A0020ADFDB04CFA5D985AAEBBB1FF49304F24451DE415AB741D738A911CFA6
                                                                                                                                                          Function 004216C7 Relevance: 7.8, Strings: 6, Instructions: 278COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: .'&!$P?Q9$T;%$ft~$tr$~pv
                                                                                                                                                          • API String ID: 0-330529406
                                                                                                                                                          • Opcode ID: c088e675831dc25292d2c6096b997bb0531387f0ff7682f41f52504c1287accd
                                                                                                                                                          • Instruction ID: da4d60ad9a65d82bee81af65e1ca07b15af6f369e0e273f2bb66a687692fa3ae
                                                                                                                                                          • Opcode Fuzzy Hash: c088e675831dc25292d2c6096b997bb0531387f0ff7682f41f52504c1287accd
                                                                                                                                                          • Instruction Fuzzy Hash: D9B1897551E3908AD331CF25C49878BBBE1ABDA354F588A4CD8CC5B311C7389A4ACB97
                                                                                                                                                          Function 004112DD Relevance: 7.2, Strings: 5, Instructions: 907COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0$0$0$i$u
                                                                                                                                                          • API String ID: 0-2578075383
                                                                                                                                                          • Opcode ID: 4b942c983ae29275cb0e890cd9593218aab462d75cafc3d2a6a331db285c9f3c
                                                                                                                                                          • Instruction ID: 9e781c265de8ea662b02f0d00ea87a01145e81901440f75493ddbfb8e4589570
                                                                                                                                                          • Opcode Fuzzy Hash: 4b942c983ae29275cb0e890cd9593218aab462d75cafc3d2a6a331db285c9f3c
                                                                                                                                                          • Instruction Fuzzy Hash: A8620771A083519FC314CE28C69039BBBE1ABD5704F148A6EE8D9D7391D3B8DD85CB86
                                                                                                                                                          Function 00454212 Relevance: 6.1, Strings: 4, Instructions: 1089COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $"DE$\P$rPE
                                                                                                                                                          • API String ID: 0-409153937
                                                                                                                                                          • Opcode ID: bd76749ca034abf0ebbd836625413f9842bfe9443f789b04cd89c8a3538d466c
                                                                                                                                                          • Instruction ID: 999c1b8a06f098c1245c646eaaa82c5bc6c952ac6a9a76bc348a7a486977e6e2
                                                                                                                                                          • Opcode Fuzzy Hash: bd76749ca034abf0ebbd836625413f9842bfe9443f789b04cd89c8a3538d466c
                                                                                                                                                          • Instruction Fuzzy Hash: 3372EE76A08216CFCB04CF68D89066EB3F1FB89305F1A887DD885A7351D374AD55CB86
                                                                                                                                                          Function 004233D8 Relevance: 5.6, Strings: 4, Instructions: 650COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: EK6$N$R_B$tW
                                                                                                                                                          • API String ID: 0-3496575853
                                                                                                                                                          • Opcode ID: f33bce1ee630e1e1dab4eee58ce6f760c8dd9629da2d112734f204306aa7dfca
                                                                                                                                                          • Instruction ID: 24489c57b10ec65bc0cca19b8665c549a8655aeb89f98428aeb21524e28f673f
                                                                                                                                                          • Opcode Fuzzy Hash: f33bce1ee630e1e1dab4eee58ce6f760c8dd9629da2d112734f204306aa7dfca
                                                                                                                                                          • Instruction Fuzzy Hash: 3522D0B16083908BD714CF24D89076BBBF2EFD6304F48496DE48A87352DB79D909CB96
                                                                                                                                                          Function 00437860 Relevance: 5.6, Strings: 4, Instructions: 561COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b$4`[b$4`[b$L!&'
                                                                                                                                                          • API String ID: 0-1623617353
                                                                                                                                                          • Opcode ID: 96a53b1bb5f47f84edcff84cfe020d0e1968aa91a9328d27dc80ec230776a55d
                                                                                                                                                          • Instruction ID: b18e35ab88695871041c8063d43c72aee32ae6604652b73bdfddafd505d6efb9
                                                                                                                                                          • Opcode Fuzzy Hash: 96a53b1bb5f47f84edcff84cfe020d0e1968aa91a9328d27dc80ec230776a55d
                                                                                                                                                          • Instruction Fuzzy Hash: FE12BBB4508340DFD728DF14D8A1A2BB7E1FF89345F54882DE5C6873A2E739A805CB4A
                                                                                                                                                          Function 0041ED30 Relevance: 5.5, Strings: 4, Instructions: 508COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: J0:N$KQ$LC$US
                                                                                                                                                          • API String ID: 0-3443655503
                                                                                                                                                          • Opcode ID: 0db40935ebf73c697427c7f11b1f54043ef6fb1b1813f773978fa4dcbb3e4f8b
                                                                                                                                                          • Instruction ID: 09c3dfed99070943aef6a34b9976ff34888579d1e83908058d8a4ab4ca9f8f3b
                                                                                                                                                          • Opcode Fuzzy Hash: 0db40935ebf73c697427c7f11b1f54043ef6fb1b1813f773978fa4dcbb3e4f8b
                                                                                                                                                          • Instruction Fuzzy Hash: 9B02DFB560C3408BD314CF18C4906AFBBE2AFC9714F18896EE4D99B351D739D94ACB4A
                                                                                                                                                          Function 004547C0 Relevance: 4.5, Strings: 3, Instructions: 737COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $\P$rPE
                                                                                                                                                          • API String ID: 0-2271232275
                                                                                                                                                          • Opcode ID: 19960aee2916e1a526f3414ef50ddf9413ce76da417b31ec0b4212f85976536d
                                                                                                                                                          • Instruction ID: b419569ffdbf8a02ea7da6850a187c5ff5e46cd8b7bfb323c10936261184f29d
                                                                                                                                                          • Opcode Fuzzy Hash: 19960aee2916e1a526f3414ef50ddf9413ce76da417b31ec0b4212f85976536d
                                                                                                                                                          • Instruction Fuzzy Hash: 2B32DD35A08215CFCB08CF28D8A066FB7F2FB89305F09896ED88697351D774AD55CB86
                                                                                                                                                          Function 004546D0 Relevance: 4.5, Strings: 3, Instructions: 711COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $\P$rPE
                                                                                                                                                          • API String ID: 0-2271232275
                                                                                                                                                          • Opcode ID: 2248642cbeeafbd83c9140d896c66875e15d8a26ac1c9a9e203e5ba33ffb9848
                                                                                                                                                          • Instruction ID: 5ff264943c8cc54e2b1b87fa2534bc9f52be89dc63c73582ee4479819cd4ebb8
                                                                                                                                                          • Opcode Fuzzy Hash: 2248642cbeeafbd83c9140d896c66875e15d8a26ac1c9a9e203e5ba33ffb9848
                                                                                                                                                          • Instruction Fuzzy Hash: 9E32D935A08211CFCB08CF28D89066FB7F2FB89305F09896ED88697352D774E855CB86
                                                                                                                                                          Function 00454AF0 Relevance: 4.3, Strings: 3, Instructions: 521COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $$rPE
                                                                                                                                                          • API String ID: 0-1537306017
                                                                                                                                                          • Opcode ID: b49012dface025da97e73c3b1034bb34807c0a4b6756b31d981573d2b76692a1
                                                                                                                                                          • Instruction ID: 6e7d9c8e0f74b3352e6e996f763d7618d8db4a03e2de4f81d930075a39c8b48c
                                                                                                                                                          • Opcode Fuzzy Hash: b49012dface025da97e73c3b1034bb34807c0a4b6756b31d981573d2b76692a1
                                                                                                                                                          • Instruction Fuzzy Hash: 01F1FE35A08215CFCB08CF68D8A066FB7F2FB89305F19886DD88697352D734AD55CB86
                                                                                                                                                          Function 00418140 Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: )$)$IEND
                                                                                                                                                          • API String ID: 0-588110143
                                                                                                                                                          • Opcode ID: aae953ee41d85b09ea637577d14186aedfa39c53bb94a95bac89a1f1ea6d6f87
                                                                                                                                                          • Instruction ID: 73ba0b6f2c9193cb5338d824c2e13da21037cb2bbdd904228fb6a164cdd187aa
                                                                                                                                                          • Opcode Fuzzy Hash: aae953ee41d85b09ea637577d14186aedfa39c53bb94a95bac89a1f1ea6d6f87
                                                                                                                                                          • Instruction Fuzzy Hash: C4E1F2B1A087019FD314CF29C88079BBBE0BB94304F14452EF99597391DB79E995CBCA
                                                                                                                                                          Function 00434FD0 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: (ca$W{5y$|~
                                                                                                                                                          • API String ID: 0-1952870986
                                                                                                                                                          • Opcode ID: 828f974aa349eca70c3f68cec0807ff9774cbc318484b1999d72694f0429b2db
                                                                                                                                                          • Instruction ID: d668a6e97ce41d5df961cf65496046fac0408875cc1c1cc09bceaed83f919f45
                                                                                                                                                          • Opcode Fuzzy Hash: 828f974aa349eca70c3f68cec0807ff9774cbc318484b1999d72694f0429b2db
                                                                                                                                                          • Instruction Fuzzy Hash: 837163B41083409FD314EF19C490A2EBBF1EB9A744F549A1CE1D51B3A1C7799905CF9A
                                                                                                                                                          Function 0043B1C3 Relevance: 3.1, Strings: 2, Instructions: 628COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: _;:9$}K
                                                                                                                                                          • API String ID: 0-1012618580
                                                                                                                                                          • Opcode ID: 9fe089f97c973e06a29486ea9dad7bd4586b3f83105c5e511f51a7041990c938
                                                                                                                                                          • Instruction ID: f51f9cc7c935e5a51a6baff7ca707b8d64064a9f0646d1cc2b3aa2f62cf70e50
                                                                                                                                                          • Opcode Fuzzy Hash: 9fe089f97c973e06a29486ea9dad7bd4586b3f83105c5e511f51a7041990c938
                                                                                                                                                          • Instruction Fuzzy Hash: 6B32A2B5E006298FDB08DF98C891AAEFB72FF89304F54855DD8266B395C7349802CBD5
                                                                                                                                                          Function 00418DFD Relevance: 3.1, Strings: 2, Instructions: 599COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0$8
                                                                                                                                                          • API String ID: 0-46163386
                                                                                                                                                          • Opcode ID: b75e4450074bb070e547e4a318034edc2cf343d1ead9d7f8d904dc219592ef7a
                                                                                                                                                          • Instruction ID: 790fd01d0ac8c273d4c1e7f238581cb59e02e91825a91ddc96986147d5dcf325
                                                                                                                                                          • Opcode Fuzzy Hash: b75e4450074bb070e547e4a318034edc2cf343d1ead9d7f8d904dc219592ef7a
                                                                                                                                                          • Instruction Fuzzy Hash: 4A426530608340DFD714CF28D85479ABBE1BF89305F08896DE4898B3A2C7B9D995CF96
                                                                                                                                                          Function 0042C143 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,00000000,00000040), ref: 0042C116
                                                                                                                                                          • CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,00000000,Function_0001C120), ref: 0042C135
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                          • Opcode ID: 2ed0b0bf36697ddc924432dcd7777ecbcc4825d4ed5456e5589f7de8cbbdd387
                                                                                                                                                          • Instruction ID: 2a60112fb3140011b2d6a2d2b43a584c3af917fc9c217c69f6ee94b8e6bc2985
                                                                                                                                                          • Opcode Fuzzy Hash: 2ed0b0bf36697ddc924432dcd7777ecbcc4825d4ed5456e5589f7de8cbbdd387
                                                                                                                                                          • Instruction Fuzzy Hash: C5F0E57068C712FEFB340B24AC16F0576A2A747B32F345324B235781F68AB195108A0D
                                                                                                                                                          Function 00433330 Relevance: 3.0, Strings: 2, Instructions: 496COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: #"=$4`[b
                                                                                                                                                          • API String ID: 0-183199367
                                                                                                                                                          • Opcode ID: 2f8166cc1495a082907515f28dc03fe8076a52c56d09c1438d2384ceff336242
                                                                                                                                                          • Instruction ID: 0b8286b667a2a7c356e7ec9a661f0ad008b845d3d56a29dfbfcfbe7b2ce6955b
                                                                                                                                                          • Opcode Fuzzy Hash: 2f8166cc1495a082907515f28dc03fe8076a52c56d09c1438d2384ceff336242
                                                                                                                                                          • Instruction Fuzzy Hash: F7E111B56082009BD714DF28C891A2BB7E1EF99315F08A92DF4C6C7351E739DE41CB9A
                                                                                                                                                          Function 004135E0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Inf$NaN
                                                                                                                                                          • API String ID: 0-3500518849
                                                                                                                                                          • Opcode ID: 769331b506ba8bd61d3ab35cfcdc80fefc4ecb686d89c305c722d403aebd5747
                                                                                                                                                          • Instruction ID: 9d85162939b3d73ddb9fa6e0b5de8a159686af335518cba9efecd4ef89363d49
                                                                                                                                                          • Opcode Fuzzy Hash: 769331b506ba8bd61d3ab35cfcdc80fefc4ecb686d89c305c722d403aebd5747
                                                                                                                                                          • Instruction Fuzzy Hash: DFD129B2A183019BC704CF28C88065BB7E5EFC8750F258A3EF89997391E775DD458B86
                                                                                                                                                          Function 0041D8B0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $xy
                                                                                                                                                          • API String ID: 0-1879942264
                                                                                                                                                          • Opcode ID: 3e7caed486b8b898e9d27077d52ed70f096631fe81e8302264c852b3302ca259
                                                                                                                                                          • Instruction ID: 681c1ef3a77d42104c554bce78c70d1e19611dbeff15a69beda281e4362eb7eb
                                                                                                                                                          • Opcode Fuzzy Hash: 3e7caed486b8b898e9d27077d52ed70f096631fe81e8302264c852b3302ca259
                                                                                                                                                          • Instruction Fuzzy Hash: 28E153B060C3809BD314EF19D490A6FBBE2EF95744F14891EE1C98B352D739D846CB9A
                                                                                                                                                          Function 00423F0E Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "$J1
                                                                                                                                                          • API String ID: 0-1332998432
                                                                                                                                                          • Opcode ID: 717b84f1d1b4d0aa476fa47916ab833481111acf08f14d9df5af7f091af42965
                                                                                                                                                          • Instruction ID: 77dee06d7033e6bd90089a0e0d1f23d1588be2a2cfd544188485330bff91e4aa
                                                                                                                                                          • Opcode Fuzzy Hash: 717b84f1d1b4d0aa476fa47916ab833481111acf08f14d9df5af7f091af42965
                                                                                                                                                          • Instruction Fuzzy Hash: 58D147B46083809BD364CF24D981BAFF7E6EFC5704F44882DE48987252E778E849CB56
                                                                                                                                                          Function 0043C0DE Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: >ZVB$XXZ
                                                                                                                                                          • API String ID: 0-1040703691
                                                                                                                                                          • Opcode ID: be67e9a37fec9c162cc65b6a149b729149a76e56b3aba1b220eed938636dead5
                                                                                                                                                          • Instruction ID: 5e451e605560981ffbf685aca71a6fc59a02beaa6c7da3c0ed5694dc81432a2f
                                                                                                                                                          • Opcode Fuzzy Hash: be67e9a37fec9c162cc65b6a149b729149a76e56b3aba1b220eed938636dead5
                                                                                                                                                          • Instruction Fuzzy Hash: B9B1BD721083858FC311CF39C89066ABFE2AF96314F585A9DF0E49B3A2C735D949CB46
                                                                                                                                                          Function 00424444 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: @1$z
                                                                                                                                                          • API String ID: 0-3737219330
                                                                                                                                                          • Opcode ID: 26dcfd3224af9f3c3cbb885badf90b4e0fe6a27c1660b9ccc5fb19c921f9ffef
                                                                                                                                                          • Instruction ID: 99e8406b5a06fd71cf1475f1978d0ed1d704625d72431c32eabdb926689560ef
                                                                                                                                                          • Opcode Fuzzy Hash: 26dcfd3224af9f3c3cbb885badf90b4e0fe6a27c1660b9ccc5fb19c921f9ffef
                                                                                                                                                          • Instruction Fuzzy Hash: 80C167B56083809BD364CF24D991B5FB7E2EFC5704F14892EE88987351EB78D849CB4A
                                                                                                                                                          Function 0042DC23 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ?4$4`[b
                                                                                                                                                          • API String ID: 0-3194672840
                                                                                                                                                          • Opcode ID: 7976b533a6c11a01d0444dcc914dc7dc1beaea6541ece79d09f303d9c7dd384c
                                                                                                                                                          • Instruction ID: fe2a72a1c16f5346a5f28d2a09956cf805c07021eb6e0ca21332dc109734af64
                                                                                                                                                          • Opcode Fuzzy Hash: 7976b533a6c11a01d0444dcc914dc7dc1beaea6541ece79d09f303d9c7dd384c
                                                                                                                                                          • Instruction Fuzzy Hash: A291CE706083508BE324DF18E8987AFB7F1FF86345F44492EE58587262D73A9941CB8B
                                                                                                                                                          Function 0043AD66 Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: AJ$\]
                                                                                                                                                          • API String ID: 0-3722789656
                                                                                                                                                          • Opcode ID: fb710ed8db8b0af347a07cbcfa26b5cc7142dfa57a2215b73a6e2a8a13f04b9d
                                                                                                                                                          • Instruction ID: 7ea8f2709e6df63223d2cfbc507ab7c3cf94182bf222ef244d787fdfb551d8e2
                                                                                                                                                          • Opcode Fuzzy Hash: fb710ed8db8b0af347a07cbcfa26b5cc7142dfa57a2215b73a6e2a8a13f04b9d
                                                                                                                                                          • Instruction Fuzzy Hash: C191BEB4940216CFDB14CF94C8A17BFB7B1FF4A314F145549E892AB395E3389811CB99
                                                                                                                                                          Function 00419A5B Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0$8
                                                                                                                                                          • API String ID: 0-46163386
                                                                                                                                                          • Opcode ID: c31b6a292e239e74d7b5868cf998a00541d2232f05964cad994897bcd8b879a4
                                                                                                                                                          • Instruction ID: 41ea6b9bdcb93e438d15cc10f61c83f2d03e6e60f2e4b95bcb0746a554e4b28d
                                                                                                                                                          • Opcode Fuzzy Hash: c31b6a292e239e74d7b5868cf998a00541d2232f05964cad994897bcd8b879a4
                                                                                                                                                          • Instruction Fuzzy Hash: 20814235219384DFC700CF28D494A8EBBE1AF99314F49896DF8C487362C679D999CF52
                                                                                                                                                          Function 00424E0F Relevance: 2.0, Strings: 1, Instructions: 778COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ]G
                                                                                                                                                          • API String ID: 0-2792678869
                                                                                                                                                          • Opcode ID: ae63cf84e5c0976c4d31def68a76c71e8155187a37208182465765fe79fd4972
                                                                                                                                                          • Instruction ID: dd606a446c5dc3c127dfe09f15042436af04ecd1030e67f38bc12fcd61bb4f44
                                                                                                                                                          • Opcode Fuzzy Hash: ae63cf84e5c0976c4d31def68a76c71e8155187a37208182465765fe79fd4972
                                                                                                                                                          • Instruction Fuzzy Hash: 0A32ADB16083909BD314DF28D890A2FB7E2FFC5304F55492EE49987351E778D849CB5A
                                                                                                                                                          Function 0042B832 Relevance: 2.0, APIs: 1, Instructions: 470COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 307949a4f390b3df15bc669a2483ce121abbfc0f41d874a3c1bfd551dd2184d4
                                                                                                                                                          • Instruction ID: 7b4d5a0d98a4300bc0526d534dbf44dc3267ae1dc3a8c063433f3c396e97021a
                                                                                                                                                          • Opcode Fuzzy Hash: 307949a4f390b3df15bc669a2483ce121abbfc0f41d874a3c1bfd551dd2184d4
                                                                                                                                                          • Instruction Fuzzy Hash: B1F1EEB16083518FD724CF28D8917AFBBE1EF86304F58492EE49987352D739D845CB8A
                                                                                                                                                          Function 0044FAC0 Relevance: 1.9, Strings: 1, Instructions: 694COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: f
                                                                                                                                                          • API String ID: 0-1993550816
                                                                                                                                                          • Opcode ID: 83b2027d994bed17e0cdfddc2c15a80d471f6b96e4011267eceef1a5d966481a
                                                                                                                                                          • Instruction ID: 0c0cec1d83c5a4f6ff7f9a91d047b93fb79d3cfdc08a15c2b10ce0cac194fe7b
                                                                                                                                                          • Opcode Fuzzy Hash: 83b2027d994bed17e0cdfddc2c15a80d471f6b96e4011267eceef1a5d966481a
                                                                                                                                                          • Instruction Fuzzy Hash: 1F3291756083419FD714CF28C890B2BB7E2EB89314F18892EF895C7392D739E849CB56
                                                                                                                                                          Function 00414D00 Relevance: 1.8, Strings: 1, Instructions: 569COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %1.17g
                                                                                                                                                          • API String ID: 0-1551345525
                                                                                                                                                          • Opcode ID: 91d1f1247741a57da21da6f5f1991baaeafdcfe7032c5c4858af2149b9178f6c
                                                                                                                                                          • Instruction ID: 31c86f767a84538317bcbf5b513b5d99bf89d4c53de575bc4455c27e0d59c244
                                                                                                                                                          • Opcode Fuzzy Hash: 91d1f1247741a57da21da6f5f1991baaeafdcfe7032c5c4858af2149b9178f6c
                                                                                                                                                          • Instruction Fuzzy Hash: F712B372A08B41CBD7158E58D4803E7BBA2AFE1304F1D856FD8954B341E7B9DC86C74A
                                                                                                                                                          Function 004330D0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoCreateInstance.OLE32(00458BA0,00000000,00000001,00458B90), ref: 004330F9
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                          • Opcode ID: 4b6d6b060679144e4abf391f1a28c904377b44d145cc16027412afcdba315d3e
                                                                                                                                                          • Instruction ID: 8ee346db7a4811bca061dc6bee4dd13d9bcdc9b9fcdb1fefa12f14e9b1944984
                                                                                                                                                          • Opcode Fuzzy Hash: 4b6d6b060679144e4abf391f1a28c904377b44d145cc16027412afcdba315d3e
                                                                                                                                                          • Instruction Fuzzy Hash: BC5101B06003049BDB209F24CC86B7773B4EF8975AF089559F9858B391E378EA05C72A
                                                                                                                                                          Function 0042F490 Relevance: 1.7, Strings: 1, Instructions: 445COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ^TYR
                                                                                                                                                          • API String ID: 0-2403333924
                                                                                                                                                          • Opcode ID: b4002723fa5084c260bb06041de4e4132e415b49118c0469249397cddf7f50c4
                                                                                                                                                          • Instruction ID: 7f6c10b6d583d7125387856d3398120a5788ea5b11e187c3d78635ccba62326d
                                                                                                                                                          • Opcode Fuzzy Hash: b4002723fa5084c260bb06041de4e4132e415b49118c0469249397cddf7f50c4
                                                                                                                                                          • Instruction Fuzzy Hash: DFE1BDB56083409BD304EF29D880A5EBBF6EFD4314F98892EE4C887351D738E949CB56
                                                                                                                                                          Function 00453C20 Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: P
                                                                                                                                                          • API String ID: 0-3110715001
                                                                                                                                                          • Opcode ID: beebeee87d8c133ebcc634bcb241483f916a2ec66c327f41acaf8c098a7b62d2
                                                                                                                                                          • Instruction ID: d2fab7b08c4142bcf70a4740c8f252c56c624e6f7d02606cf03acd35bb5c4799
                                                                                                                                                          • Opcode Fuzzy Hash: beebeee87d8c133ebcc634bcb241483f916a2ec66c327f41acaf8c098a7b62d2
                                                                                                                                                          • Instruction Fuzzy Hash: 49E12832A083604FC715CE18849061FB3E2EBC5359F06863DEDB6AB392C7759D4987C6
                                                                                                                                                          Function 0043D040 Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "
                                                                                                                                                          • API String ID: 0-123907689
                                                                                                                                                          • Opcode ID: f31a23bacc01a5407d2b86fcea6cd2a57511eadae3e6d24662fecdb0f71f6251
                                                                                                                                                          • Instruction ID: f64805e045dd63c7355b65540f519c5c73d961cd5d6ec7c081cd081d09439ea3
                                                                                                                                                          • Opcode Fuzzy Hash: f31a23bacc01a5407d2b86fcea6cd2a57511eadae3e6d24662fecdb0f71f6251
                                                                                                                                                          • Instruction Fuzzy Hash: 3EC127B2E083045BD7258E24E88076BB7E5AF99314F18952FE89587381E73CEC45C796
                                                                                                                                                          Function 004382B0 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: \
                                                                                                                                                          • API String ID: 2994545307-3568076253
                                                                                                                                                          • Opcode ID: 9b13bbffba7daf6e6ac4cd4da21494b591ef88fa22d2689aa535c009e1e0fed9
                                                                                                                                                          • Instruction ID: a582b9abc5affa5015abc6b1274d95182525408af83d50f529113b6fccc40ed3
                                                                                                                                                          • Opcode Fuzzy Hash: 9b13bbffba7daf6e6ac4cd4da21494b591ef88fa22d2689aa535c009e1e0fed9
                                                                                                                                                          • Instruction Fuzzy Hash: 5FB10F716083019BD714DF18C88062BF7E1EF99304F18592EF9C58B351EB39E945CB9A
                                                                                                                                                          Function 0043B970 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b
                                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                                          • Opcode ID: 3c1a697c463c4b841042622e43e39a9192d2f0cc23b9f8f1beee178966b553c7
                                                                                                                                                          • Instruction ID: 5b6ba1cb91616380c4b3fd45ee2fb7184f03440a2a317341cc9963ad7e9db575
                                                                                                                                                          • Opcode Fuzzy Hash: 3c1a697c463c4b841042622e43e39a9192d2f0cc23b9f8f1beee178966b553c7
                                                                                                                                                          • Instruction Fuzzy Hash: 01D188B410C3809FD324DF19D490B6BBBE1EF8A704F545A1DE6C98B392C7769805CB9A
                                                                                                                                                          Function 00438EA9 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b
                                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                                          • Opcode ID: 7a28e30bb17dda159eb49f1ab6e16c03c9241f2d082b12b47eb1b672965ac7cf
                                                                                                                                                          • Instruction ID: eb3618badcbfe63de2aab32dc1244193e94b233bec937aa8897428c4c9db0e21
                                                                                                                                                          • Opcode Fuzzy Hash: 7a28e30bb17dda159eb49f1ab6e16c03c9241f2d082b12b47eb1b672965ac7cf
                                                                                                                                                          • Instruction Fuzzy Hash: E3B1DCB0D00219DFEB24CFA8E9917AEB771FF46305F1040A9E549AB242E7309E51CF5A
                                                                                                                                                          Function 0041A3F0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ,
                                                                                                                                                          • API String ID: 0-3772416878
                                                                                                                                                          • Opcode ID: 040639413158bfdbd14daa81084adcf7a10f414b7e134be0bbf74d28b1857f66
                                                                                                                                                          • Instruction ID: fb9f94706ef129cf7964bee32a384e9f309f39bb2217ae1836526d538faec1db
                                                                                                                                                          • Opcode Fuzzy Hash: 040639413158bfdbd14daa81084adcf7a10f414b7e134be0bbf74d28b1857f66
                                                                                                                                                          • Instruction Fuzzy Hash: 0EB16A711093809FD321CF18C88465BFBE0AFA9704F484E2DE5D997382D675E958CBA7
                                                                                                                                                          Function 004533B0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b
                                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                                          • Opcode ID: 23d6f96a34799fd7db89ef0efd09f1502d9c4f4d3083677d305cfe6280c5d5d8
                                                                                                                                                          • Instruction ID: a794c3c4144f05bc6dbfe5c355a572a435f41fc9b69ed15ffb9f990f7bed6422
                                                                                                                                                          • Opcode Fuzzy Hash: 23d6f96a34799fd7db89ef0efd09f1502d9c4f4d3083677d305cfe6280c5d5d8
                                                                                                                                                          • Instruction Fuzzy Hash: 01810471608301ABD724CF15C850A6BB7E2EFC5396F14892EFD8593392E734E904CB9A
                                                                                                                                                          Function 0043D4F0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "
                                                                                                                                                          • API String ID: 0-123907689
                                                                                                                                                          • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                          • Instruction ID: 6f331eaee311c823878c86a3076073f55de4b339334dbe7d9c7b24ae35b63837
                                                                                                                                                          • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                          • Instruction Fuzzy Hash: 3771F732E083155BD714CE2CE58031FBBE2ABC9714F29952FE4988B395D338DC49878A
                                                                                                                                                          Function 0044F530 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0
                                                                                                                                                          • API String ID: 0-4108050209
                                                                                                                                                          • Opcode ID: 4a173d25c7d084d9a497d896eae14b09eb50efb1e122eccc1240a6c66bc1c4bc
                                                                                                                                                          • Instruction ID: c4fb04e9f7aacc4ed11cf2c4453826f1f4c811a5a6cec1ec68f5183a0fabb12e
                                                                                                                                                          • Opcode Fuzzy Hash: 4a173d25c7d084d9a497d896eae14b09eb50efb1e122eccc1240a6c66bc1c4bc
                                                                                                                                                          • Instruction Fuzzy Hash: BC9177B56083029BE714CF08C480B1BBBE2FBC9344F14892EF89487351D738E849CB96
                                                                                                                                                          Function 0044B650 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b
                                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                                          • Opcode ID: 908e7949b3c1e1c41bc3bd3e2f973716d31be5618c2fdd6570ac847b82259152
                                                                                                                                                          • Instruction ID: ab9547bc95408c9cb0146c2c2b14426ca1746cfe1c48720dd6cb69491b8b0c87
                                                                                                                                                          • Opcode Fuzzy Hash: 908e7949b3c1e1c41bc3bd3e2f973716d31be5618c2fdd6570ac847b82259152
                                                                                                                                                          • Instruction Fuzzy Hash: 61619D71108300EFE314DF25D891B2BB7A6FBD4305F14892EE58687291DB79E815CB9A
                                                                                                                                                          Function 00453180 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b
                                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                                          • Opcode ID: e9364787b633ce34a50f578eacd71e4e1eae0a9aeefc8c913c96c7868294cceb
                                                                                                                                                          • Instruction ID: 73d55523663ef1811245f83a19c204da199b324759229686b04c9433500fc24f
                                                                                                                                                          • Opcode Fuzzy Hash: e9364787b633ce34a50f578eacd71e4e1eae0a9aeefc8c913c96c7868294cceb
                                                                                                                                                          • Instruction Fuzzy Hash: 955135326082009BC314DE19CC80B2FB7E3EBC8756F19C62DEDE5573A6DA34AD058796
                                                                                                                                                          Function 00455B90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: @
                                                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                                                          • Opcode ID: 23e35e0634e291342369d8b9ec6c760d77509f206f22633ad86587618c103e99
                                                                                                                                                          • Instruction ID: 8d5f1675c75f8198dfbf83efcd11d088c20099a034c37ffa1ce9c2120508a449
                                                                                                                                                          • Opcode Fuzzy Hash: 23e35e0634e291342369d8b9ec6c760d77509f206f22633ad86587618c103e99
                                                                                                                                                          • Instruction Fuzzy Hash: BD3198715083008FD301DF48C88466BF7F5FBC5314F19892EE9C8A7321E375A9098BAA
                                                                                                                                                          Function 0043ACB6 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 4`[b
                                                                                                                                                          • API String ID: 0-3962175265
                                                                                                                                                          • Opcode ID: d8a47d4a2a4a121bf11138b79dec279bdafd5cd47ba8ea1f54c9750c00588187
                                                                                                                                                          • Instruction ID: 4040eb58233f6d912315851f01c008f051d03a5ccfe815e95bef4aa3650e2a73
                                                                                                                                                          • Opcode Fuzzy Hash: d8a47d4a2a4a121bf11138b79dec279bdafd5cd47ba8ea1f54c9750c00588187
                                                                                                                                                          • Instruction Fuzzy Hash: 55116A34A10254CFCB24CF98D894AAEB7B2FF4D302F54506AE546AB762E734DC51CB89
                                                                                                                                                          Function 0041BB00 Relevance: .8, Instructions: 810COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d42670a10cd1b3a4990c600b2dc7ad877ef23f9a6c8734be28c408b80ad5bc90
                                                                                                                                                          • Instruction ID: a247fcc3c47c785cf4d237058dc55d90b06fe54110165bbcbe342e5d67ab493d
                                                                                                                                                          • Opcode Fuzzy Hash: d42670a10cd1b3a4990c600b2dc7ad877ef23f9a6c8734be28c408b80ad5bc90
                                                                                                                                                          • Instruction Fuzzy Hash: 3D52F8315487118BC725DF18D8802BBB3E1FFC4314F198A2ED9D697385E738A991CB8A
                                                                                                                                                          Function 00416D80 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 64f78c160db201771518049e1bb332d724e9dd64e1c31a73c69a23bba5293b0a
                                                                                                                                                          • Instruction ID: 0879c5a79ebe7e09645d17db4acd8aad9e42966448e6c4961867df0763b28d61
                                                                                                                                                          • Opcode Fuzzy Hash: 64f78c160db201771518049e1bb332d724e9dd64e1c31a73c69a23bba5293b0a
                                                                                                                                                          • Instruction Fuzzy Hash: 8052C33150C3458FCB15CF28C0906EABBF2BF89314F198A6EE89957351D778E989CB85
                                                                                                                                                          Function 0041AFF0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1d3c54692c8f3c41da3af0408b89161bc5116461b27180e3c0dfb23943d29dda
                                                                                                                                                          • Instruction ID: 79f4616b2384fc4fb6bf6a939cd114b6125311cd7f742aa9459506b22bf9a7bf
                                                                                                                                                          • Opcode Fuzzy Hash: 1d3c54692c8f3c41da3af0408b89161bc5116461b27180e3c0dfb23943d29dda
                                                                                                                                                          • Instruction Fuzzy Hash: 0452B5B0A08B888FE735DB24C4847E7BBE1EB95314F14485EC5D606B82D37DA8C5C799
                                                                                                                                                          Function 004177A0 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9c66df15ba4204920b5db36997c20d698051f8806ee994e3f906bf385195448d
                                                                                                                                                          • Instruction ID: e312588ec874e8885a6f817017a441e06b0079e6d68c80b9b72acdc8c4eedeb9
                                                                                                                                                          • Opcode Fuzzy Hash: 9c66df15ba4204920b5db36997c20d698051f8806ee994e3f906bf385195448d
                                                                                                                                                          • Instruction Fuzzy Hash: 3D320670518B118FC368CF29C6905AABBF1BF45710B604A2ED69787F90D73AF885CB18
                                                                                                                                                          Function 00422CA0 Relevance: .5, Instructions: 534COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4413a51fa73b8dc8f4a4a1b14f49842a5bcb4517984c56fcfd3c2a32f2cf7124
                                                                                                                                                          • Instruction ID: 5eb498ed7f31b1ee19d85acff159a4ac548551a70cbd72454d3deae687323ba9
                                                                                                                                                          • Opcode Fuzzy Hash: 4413a51fa73b8dc8f4a4a1b14f49842a5bcb4517984c56fcfd3c2a32f2cf7124
                                                                                                                                                          • Instruction Fuzzy Hash: 5A1298B52083809BD358CF24E991A6FB7F6EFC5705F44882DE48983252DB38D949CB5B
                                                                                                                                                          Function 00422D50 Relevance: .5, Instructions: 504COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d92afe660301f712af291c94b87fa3541d996f8d7d87067d59a7be8b67e3abc8
                                                                                                                                                          • Instruction ID: 46fce5a5839b1eea7c5b2ec388f774578e708f994fdfa2292952a4db5c82e512
                                                                                                                                                          • Opcode Fuzzy Hash: d92afe660301f712af291c94b87fa3541d996f8d7d87067d59a7be8b67e3abc8
                                                                                                                                                          • Instruction Fuzzy Hash: 2F029AB52083809BD358CF24E991A6FB7F6EFC5705F44882DE48983252DB38D949CB5B
                                                                                                                                                          Function 00439ABB Relevance: .5, Instructions: 486COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4af1f75f249f0fb1c790d711f2b98d76038a05fd8b62e5d25b09ff9cddcfb1e4
                                                                                                                                                          • Instruction ID: 933eaf75a4f5b48d64c2953326d7d11e13cf1f7c2a04972b0e6ee8ef5988f658
                                                                                                                                                          • Opcode Fuzzy Hash: 4af1f75f249f0fb1c790d711f2b98d76038a05fd8b62e5d25b09ff9cddcfb1e4
                                                                                                                                                          • Instruction Fuzzy Hash: 46F1F271D00215CFDB14CF68D85079EFBB2BF49311F1982A9D454AB392D339AD46CB88
                                                                                                                                                          Function 00419E80 Relevance: .5, Instructions: 451COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 87ff3d3d18614b795103daca684522adbaef9ce149cd257e05088adc57babbe9
                                                                                                                                                          • Instruction ID: bfd3566c6f7d10949e1316e49fe92dbec3125470a12ce2c985fc16286ad37aae
                                                                                                                                                          • Opcode Fuzzy Hash: 87ff3d3d18614b795103daca684522adbaef9ce149cd257e05088adc57babbe9
                                                                                                                                                          • Instruction Fuzzy Hash: 0CF1A1316093419FC714CF28C98066BFBE1FF99304F088A6DE9988B352D275D995CB9B
                                                                                                                                                          Function 00452BCC Relevance: .4, Instructions: 445COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 83d6145b855d37f626797a7d351e3e9c4c179e16f0c8df8378dd80667879b32e
                                                                                                                                                          • Instruction ID: 3eb31f433230f780b8588a0c74063b4ac5df4d3cd859c49db53aefcf750ba919
                                                                                                                                                          • Opcode Fuzzy Hash: 83d6145b855d37f626797a7d351e3e9c4c179e16f0c8df8378dd80667879b32e
                                                                                                                                                          • Instruction Fuzzy Hash: 64E15936608251CFC715CF38D99052FB7E2AB86311F19877ED891873A2E774E905CB46
                                                                                                                                                          Function 0041AA90 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1dce409bdf30fa280f51146af40f6aa769c9dc29fc2cddba1bb908207a44e5f7
                                                                                                                                                          • Instruction ID: 4b3e49f52c87c837abaafc5ac48995bc955972ba5d7a3daa8be476abf0d93674
                                                                                                                                                          • Opcode Fuzzy Hash: 1dce409bdf30fa280f51146af40f6aa769c9dc29fc2cddba1bb908207a44e5f7
                                                                                                                                                          • Instruction Fuzzy Hash: 69F18D76B486428FC728CF24C8517EBB3E2BB85318F18853EC59AC7345EB38A556CB45
                                                                                                                                                          Function 004357AE Relevance: .4, Instructions: 388COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 3d3f3bd7754c0672647902585bba409f4cfbe422c8a1bcdc734ec64e2a93f80c
                                                                                                                                                          • Instruction ID: 3ae2f7d2e2306412572f90026279a0c448232ab06a55964f5566598bc9a2f5b5
                                                                                                                                                          • Opcode Fuzzy Hash: 3d3f3bd7754c0672647902585bba409f4cfbe422c8a1bcdc734ec64e2a93f80c
                                                                                                                                                          • Instruction Fuzzy Hash: ABD1DE75E0061ACFCB24CF98C8806AEF7B2FF48300F6585A9D455AB361D734AD52CB94
                                                                                                                                                          Function 00450340 Relevance: .4, Instructions: 351COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 9799bbff02cf92c5a25760a90a4510457fcc31c5932a035b4c222ee9aff2b1c4
                                                                                                                                                          • Instruction ID: 630e1b14a78e95160c4fda79ce64c8f6ab471fec285de3f4ab8a8f5433171e4d
                                                                                                                                                          • Opcode Fuzzy Hash: 9799bbff02cf92c5a25760a90a4510457fcc31c5932a035b4c222ee9aff2b1c4
                                                                                                                                                          • Instruction Fuzzy Hash: 29C1E4756083914FC325CE28C49052EBBE1AFC5315F1986AEECE58B383D639DC49CB96
                                                                                                                                                          Function 0043890E Relevance: .3, Instructions: 349COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: db8e228609abf18747bc16d78053dfd630d696a69a077b08a1400495d70b86f3
                                                                                                                                                          • Instruction ID: 9cbe7abb8535877f6c2604c857fcb6d227990dca9c177f2de635d3f20ca58184
                                                                                                                                                          • Opcode Fuzzy Hash: db8e228609abf18747bc16d78053dfd630d696a69a077b08a1400495d70b86f3
                                                                                                                                                          • Instruction Fuzzy Hash: E4B1D4B5908341CFD714CF28985122BF7E1AF9A305F18596EF4C687342D778E90ACB9A
                                                                                                                                                          Function 0042D425 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 5dd9f4b9501894421220475f0b9a886d744e34e2ec62c0f2d30da9f17c791ef2
                                                                                                                                                          • Instruction ID: a89a3df3213ff57c693854394228a79fb1d9151cace009e7d57835b1c6205a7d
                                                                                                                                                          • Opcode Fuzzy Hash: 5dd9f4b9501894421220475f0b9a886d744e34e2ec62c0f2d30da9f17c791ef2
                                                                                                                                                          • Instruction Fuzzy Hash: A0C199B5A083518FD724DF18D8806ABB7F1FFC6304F04492EE8999B252E7399845CB96
                                                                                                                                                          Function 004536F0 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 83b3e1e9858e9e9fefa5c08db0c73ea8862f098b4fd6b9eea0c0d3a2fcaf5e79
                                                                                                                                                          • Instruction ID: 02dfc955f3291dbb2b42cdb77ce6be19ef11085bbd1472f3026db3119cf83ede
                                                                                                                                                          • Opcode Fuzzy Hash: 83b3e1e9858e9e9fefa5c08db0c73ea8862f098b4fd6b9eea0c0d3a2fcaf5e79
                                                                                                                                                          • Instruction Fuzzy Hash: EFB129B1A083504BD324DF29C88176BF7E5AB85356F04492EFDD897342E778ED08878A
                                                                                                                                                          Function 0043A8AD Relevance: .3, Instructions: 345COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 5a3c1ab4fc4e8f4bdb239d83bd413002cd5800b557c28db58d4adda31e8650de
                                                                                                                                                          • Instruction ID: 66e843173843c5500d3917514df43c40edb3f340989a05efbad62395efc56ab6
                                                                                                                                                          • Opcode Fuzzy Hash: 5a3c1ab4fc4e8f4bdb239d83bd413002cd5800b557c28db58d4adda31e8650de
                                                                                                                                                          • Instruction Fuzzy Hash: 2BB106B1D00216CFCB14CF68C8917AEB7B2FF4A304F1841AAD895AB392D3399D55CB95
                                                                                                                                                          Function 00456330 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 23c08a348d0c28e4319bfaf0ffa8e41b6e88608d5783ae251d3043d1781ccabd
                                                                                                                                                          • Instruction ID: 2d59611e7786af112c37eaaf84331561b2105f453741a7eb5cdcbff28b5e1492
                                                                                                                                                          • Opcode Fuzzy Hash: 23c08a348d0c28e4319bfaf0ffa8e41b6e88608d5783ae251d3043d1781ccabd
                                                                                                                                                          • Instruction Fuzzy Hash: 39A1F0356083069FC714DF18D490A2BB3E2EF85740F59892DEC858B362EB34EC15CB9A
                                                                                                                                                          Function 00455CD0 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: 98b170e862b3a435ca5385c429524fc7cdc06572ebbcf93b629c1d6befce59d1
                                                                                                                                                          • Instruction ID: 725560efed747a8c92ce3f5a4959d8871ca0f87243b46bcc0caf52ee4fc0dde6
                                                                                                                                                          • Opcode Fuzzy Hash: 98b170e862b3a435ca5385c429524fc7cdc06572ebbcf93b629c1d6befce59d1
                                                                                                                                                          • Instruction Fuzzy Hash: 6291E1326087019BD710DF18C890A2BB7E2EF84741F19892EF88597362E735EC15CB9A
                                                                                                                                                          Function 00456010 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 8badac05c4aae012919bcba74e40be7a5355787b62cc3163b4615431c12454fc
                                                                                                                                                          • Instruction ID: 112dc9851fc2d4629d75f3745e0613393a555ceea24d643237316afe145a0efc
                                                                                                                                                          • Opcode Fuzzy Hash: 8badac05c4aae012919bcba74e40be7a5355787b62cc3163b4615431c12454fc
                                                                                                                                                          • Instruction Fuzzy Hash: D291F531A083118BD724DF58C480A2BB3A2FF88701F5A896DED8657352E775EC05CB8A
                                                                                                                                                          Function 00456690 Relevance: .3, Instructions: 288COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: eca38f61f7be59cbcc949e9e18dba6dc98d0c7a0f404f6f353da44627f394517
                                                                                                                                                          • Instruction ID: 0a5090091cafab8f4f635419aa9585460c3038616e800110323301e942b29b4a
                                                                                                                                                          • Opcode Fuzzy Hash: eca38f61f7be59cbcc949e9e18dba6dc98d0c7a0f404f6f353da44627f394517
                                                                                                                                                          • Instruction Fuzzy Hash: 1381E0716083008FD718DF08C890A2BB7E2EBD5704F59892EE9D587362D735EC09CB96
                                                                                                                                                          Function 0044EFB0 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d083f74d7ddea4dd4996710d419bc3a143556b9599630a16db3e599f5ece8ef0
                                                                                                                                                          • Instruction ID: 46ad20627d1a95e18a4c33d60c337d8968ea56041cc733e8e774b050affc870c
                                                                                                                                                          • Opcode Fuzzy Hash: d083f74d7ddea4dd4996710d419bc3a143556b9599630a16db3e599f5ece8ef0
                                                                                                                                                          • Instruction Fuzzy Hash: D171D136A083519BE710CE68C88065BB7E1FB88714F19897EE8D4E7351E379EC088786
                                                                                                                                                          Function 00418B20 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2edc702c8775b6f5ae71e51e61d07a6724a77c10e34c8ece7ea87827b33faedb
                                                                                                                                                          • Instruction ID: 4904205e105fb703a37e84f3e61dd0217e69b31b189529378dd5b8557cb44271
                                                                                                                                                          • Opcode Fuzzy Hash: 2edc702c8775b6f5ae71e51e61d07a6724a77c10e34c8ece7ea87827b33faedb
                                                                                                                                                          • Instruction Fuzzy Hash: 9F71CC76619302CFD304CF24D85136A77E1FF8931AF098A7DE84587292C739C9A4CB86
                                                                                                                                                          Function 00424B8D Relevance: .2, Instructions: 206COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a1c9439a23ad5595306af4d8a67de2105dadbc887d91e1670ad9e26421fa548f
                                                                                                                                                          • Instruction ID: f3a363304751aa14dd0efd29595cb5a63df3ca8d64f23ce8678123d33b779984
                                                                                                                                                          • Opcode Fuzzy Hash: a1c9439a23ad5595306af4d8a67de2105dadbc887d91e1670ad9e26421fa548f
                                                                                                                                                          • Instruction Fuzzy Hash: F0713A727043228FC714CF29D88066A73E6EFC4320F1D466EE4968B3A1EB38D855C749
                                                                                                                                                          Function 0044F260 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 51966e731d7109f19b19814ab2650e6c95a5613d859559a6ab28088fe22c26dc
                                                                                                                                                          • Instruction ID: 508a02ee2b6df8fcde1d64daba8f6e82e15114fbe04e387948d2dc3d9a25d9af
                                                                                                                                                          • Opcode Fuzzy Hash: 51966e731d7109f19b19814ab2650e6c95a5613d859559a6ab28088fe22c26dc
                                                                                                                                                          • Instruction Fuzzy Hash: 63518D76A182009BE710CF58C980A2BB7E2EB99704F18C93EE9C5C7315E779E805CB56
                                                                                                                                                          Function 0044A160 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e6c9c027bd38257047cb36b7dd5ff2529e391ccbe41d990fe5246e876f01e5eb
                                                                                                                                                          • Instruction ID: cb6fd48db4ca50e9b4dfa6718203e1d7b2f0cbfc00c16aea4ff02838b3355d98
                                                                                                                                                          • Opcode Fuzzy Hash: e6c9c027bd38257047cb36b7dd5ff2529e391ccbe41d990fe5246e876f01e5eb
                                                                                                                                                          • Instruction Fuzzy Hash: 0D515DB16087548FE314DF69D49475BBBE1BBC4318F044A2EE4E987351E379DA088F86
                                                                                                                                                          Function 00439D5A Relevance: .2, Instructions: 189COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d2e43cdec2544bae85e438eb39a127f456bc93d35db9992241e52efb27b8be29
                                                                                                                                                          • Instruction ID: 131b6eb7233369008fca20882b6ee19a4f342ca4b634466a167651d6b786504b
                                                                                                                                                          • Opcode Fuzzy Hash: d2e43cdec2544bae85e438eb39a127f456bc93d35db9992241e52efb27b8be29
                                                                                                                                                          • Instruction Fuzzy Hash: 3951B171E116148FCB18CF28D891AAEB7F2AF89310F19426ED85AE7391D738ED01CB54
                                                                                                                                                          Function 0043A6A1 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: e4b287ea95c9e352c381ae5d09f70ba07d5dd9451547242ee320841cc23f6111
                                                                                                                                                          • Instruction ID: d1fed85651879c88cd292c4316b4fd4c8830266631abba6a3d0f333a8aaba2bc
                                                                                                                                                          • Opcode Fuzzy Hash: e4b287ea95c9e352c381ae5d09f70ba07d5dd9451547242ee320841cc23f6111
                                                                                                                                                          • Instruction Fuzzy Hash: 00512478901716CFCB24CF58C8A17AFB3B1FF4A314F445259E8526B391E738A861CB89
                                                                                                                                                          Function 004557E0 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 67207e7419630ac72310dbed93751e59c1e1c42c1789b69ff6d33a1b03651e90
                                                                                                                                                          • Instruction ID: 7d736797ebe18f2d8cb4d4722eea6950e6c8e24fffb795f362d26f12f1e90150
                                                                                                                                                          • Opcode Fuzzy Hash: 67207e7419630ac72310dbed93751e59c1e1c42c1789b69ff6d33a1b03651e90
                                                                                                                                                          • Instruction Fuzzy Hash: 3051C8346083009FD718DE18C8A4B3FB7E1EB84715F68882EF8C687352D638AC15CB5A
                                                                                                                                                          Function 00431170 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 220d493865b9d59295a6970017993191259a8a2e91865c6a176d590028cdfec5
                                                                                                                                                          • Instruction ID: 4b9473862b33005e416f9d0c90a3663ff66fa1f331ef2fc11bea8b6ce455af66
                                                                                                                                                          • Opcode Fuzzy Hash: 220d493865b9d59295a6970017993191259a8a2e91865c6a176d590028cdfec5
                                                                                                                                                          • Instruction Fuzzy Hash: 3D5141B41183408BD300DF29C490A2BBBF1EFAA744F149A1DF5989B361E379C941CB5A
                                                                                                                                                          Function 004155F0 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 3f31d76514d65647a722964044030794a34ebe0e4e7decc98345fa62e0c88cce
                                                                                                                                                          • Instruction ID: facc55c3b5391d0abd7e8e4532b0bb0c99aadb09a67df01bce2bf469d7ab5674
                                                                                                                                                          • Opcode Fuzzy Hash: 3f31d76514d65647a722964044030794a34ebe0e4e7decc98345fa62e0c88cce
                                                                                                                                                          • Instruction Fuzzy Hash: AC51ABB5A04700DFC710DF18C8819A6B7A1FFC6328F55456EE8698B392D734EC81CB9A
                                                                                                                                                          Function 0042B450 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 90c0864c29cc861c05833db58c341d4a1da4b62c414e2688bd88e3ba5ba3d8ee
                                                                                                                                                          • Instruction ID: e0cd1bb18ccfeb96498a84b04df56d0bbf7c3264e110ef098f4826039d75aa88
                                                                                                                                                          • Opcode Fuzzy Hash: 90c0864c29cc861c05833db58c341d4a1da4b62c414e2688bd88e3ba5ba3d8ee
                                                                                                                                                          • Instruction Fuzzy Hash: C84145702043109BE324DF14D895BABB7F1EF86324F044A1DF9958B392E778A941CB9A
                                                                                                                                                          Function 00420CE0 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7b84bf2fd87380bd54dbd3877078b62fbcd23ac0201ac8dfcd3649b8e6b1bf54
                                                                                                                                                          • Instruction ID: 671a1563b7bc90e3624b8c29c7fd458bbb023b71b5ea43d137deda20b4370a64
                                                                                                                                                          • Opcode Fuzzy Hash: 7b84bf2fd87380bd54dbd3877078b62fbcd23ac0201ac8dfcd3649b8e6b1bf54
                                                                                                                                                          • Instruction Fuzzy Hash: FC41633271C3644FD318CE79989023ABBD2ABC5210F088A3EF0E6C7392EA38D945D715
                                                                                                                                                          Function 00420F18 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 8776ff49d0c2d43503a2e086b4b2a185eb497c37368d64ecf2b9c9d127e73646
                                                                                                                                                          • Instruction ID: 3915a0fc68db19e612d296171af61b802842cfdb60cb8bc5b0a459ffa85e6e71
                                                                                                                                                          • Opcode Fuzzy Hash: 8776ff49d0c2d43503a2e086b4b2a185eb497c37368d64ecf2b9c9d127e73646
                                                                                                                                                          • Instruction Fuzzy Hash: A5418F71618350DBD324EF20D895BAFB3E5EF85319F40492DE089132D2DB389949CB9A
                                                                                                                                                          Function 0041E395 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 67c053ce31ef25c29201dcfee59b2084c25bc17ff7985b330bbec2648a804d8b
                                                                                                                                                          • Instruction ID: 229b223747587800ab2e72ae267c3dec5b27cd98af0f4f25e424c812efdc0bef
                                                                                                                                                          • Opcode Fuzzy Hash: 67c053ce31ef25c29201dcfee59b2084c25bc17ff7985b330bbec2648a804d8b
                                                                                                                                                          • Instruction Fuzzy Hash: 5431AD355583688FE324EF15D8817EAB3E4AF46300F44182DD9D587341E3BDA985CBAA
                                                                                                                                                          Function 00448180 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                          • Instruction ID: 5f38e62d87398cef03ad73536c430d16a8ec5e4cffdcd0a9cc9c3631380e7ca2
                                                                                                                                                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                          • Instruction Fuzzy Hash: E311E933A051D40ED3168D3C840056ABFE31AA3234F5943DFF4B4AB2D2DA268D8B8359
                                                                                                                                                          Function 0043CAA0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 426252486152806b9b2540cb071e4acf5948ef7fd31604c0866f8dd5bc53c06f
                                                                                                                                                          • Instruction ID: 70a61a1bc3eb7a9730083ea28513338ed98bfaacbf14baf35a2bd24f3892695e
                                                                                                                                                          • Opcode Fuzzy Hash: 426252486152806b9b2540cb071e4acf5948ef7fd31604c0866f8dd5bc53c06f
                                                                                                                                                          • Instruction Fuzzy Hash: 860152F570031147D620EE55E8C5B27B2A85F59708F18642ED40667342DB79EC05D799
                                                                                                                                                          Function 00416A30 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 5bf53ba92400936c8cda88864bcb5b9148cd77c453d272277b23cf91686bbef9
                                                                                                                                                          • Instruction ID: 335d5017df81e604150aa530cd067b8692513ca0765d94962038f4d4ff977589
                                                                                                                                                          • Opcode Fuzzy Hash: 5bf53ba92400936c8cda88864bcb5b9148cd77c453d272277b23cf91686bbef9
                                                                                                                                                          • Instruction Fuzzy Hash: 87F0507B74831A0F6311CDB9FC80577B396DBCA241F16903DDA41E3301D431E842D294
                                                                                                                                                          Function 0042A7F0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 78897440eded06021b29a0c3b54aa744dd786520b349eb5ad26c49f85982ac5b
                                                                                                                                                          • Instruction ID: 8a64ef3d332e009d93526f451fcbae1625f305ea1fe814c3b9a9cb109cc465ac
                                                                                                                                                          • Opcode Fuzzy Hash: 78897440eded06021b29a0c3b54aa744dd786520b349eb5ad26c49f85982ac5b
                                                                                                                                                          • Instruction Fuzzy Hash: DDF027B1B0426017DB229945ACC0B37FB9CCB97324F191416EC8053202E2655C41C3EB
                                                                                                                                                          Function 0044D0D0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                          • Instruction ID: d8b96f550cc4fc2ed808545740f6a2bc15fcb5c6afbd5f2dc55da217a3332183
                                                                                                                                                          • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                          • Instruction Fuzzy Hash: DDD05E21A0822146BB688E19A410977F7E0EA87B11F49955FFA82E3248D234DC42C2AD
                                                                                                                                                          Function 00440FB3 Relevance: 57.9, APIs: 1, Strings: 32, Instructions: 157memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: !$#$%$'$)$+$-$/$0$1$3$@$A$D$^$k$m$n$o$q$q$s$s$u$w$y$z${$|$}$}$~
                                                                                                                                                          • API String ID: 2525500382-1499041251
                                                                                                                                                          • Opcode ID: 6b0ac715ed6f5973afcc633bc88aea752fb86d76bd8f32253dfb1b1dcd9d424f
                                                                                                                                                          • Instruction ID: 108949eb1d88cfbc3c12a83278d9a983b58887161e04ade427748e73736e66ec
                                                                                                                                                          • Opcode Fuzzy Hash: 6b0ac715ed6f5973afcc633bc88aea752fb86d76bd8f32253dfb1b1dcd9d424f
                                                                                                                                                          • Instruction Fuzzy Hash: 5391966040C7C1CDE322DB78844875EBFE15BA6318F184A9DE1E94B3E2C3B99549CB67
                                                                                                                                                          Function 004415B2 Relevance: 57.9, APIs: 1, Strings: 32, Instructions: 150memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: !$#$%$'$)$+$-$/$0$1$3$@$A$D$^$k$m$n$o$q$q$s$s$u$w$y$z${$|$}$}$~
                                                                                                                                                          • API String ID: 2525500382-1499041251
                                                                                                                                                          • Opcode ID: 96396f94e3a2899fb35ef1564563576ae6443a919e8fefbf7457e391102356cf
                                                                                                                                                          • Instruction ID: 07d8931accc1e216bcac131d1863a2078c31fa044368865e1b3e39b93ff44b3e
                                                                                                                                                          • Opcode Fuzzy Hash: 96396f94e3a2899fb35ef1564563576ae6443a919e8fefbf7457e391102356cf
                                                                                                                                                          • Instruction Fuzzy Hash: D991956040C7C18DD322DB78844875EBFE15BA7328F180A9DE1E94B3E2C7BA9549C767
                                                                                                                                                          Function 004438D7 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: $+$0$3$6$<$U$[$b$i$m$n$v
                                                                                                                                                          • API String ID: 2525500382-4254328309
                                                                                                                                                          • Opcode ID: 70d5578a80aaee624cc13c424fb55e245117de5e8d31ecb09b4da49c2170305f
                                                                                                                                                          • Instruction ID: 2603d5e3f4f2631e68ae0cd328a1364e379b2a8fd7523953408b61dc65d2b3ca
                                                                                                                                                          • Opcode Fuzzy Hash: 70d5578a80aaee624cc13c424fb55e245117de5e8d31ecb09b4da49c2170305f
                                                                                                                                                          • Instruction Fuzzy Hash: 9691C560108BC1CED726CF3C8488606BFA16B26224F5887DDD8EA4F3DBD365D545C7A6
                                                                                                                                                          Function 00443D6B Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: $+$0$3$6$<$U$[$b$i$m$n$v
                                                                                                                                                          • API String ID: 2525500382-4254328309
                                                                                                                                                          • Opcode ID: 95149da0a422b14dbea2cc2f881a6883c8603a19f154dd3468e445edae0997dc
                                                                                                                                                          • Instruction ID: 87ebe45e8e707a4efc6b4daf12bf5aa42a4aacbc08dbfdac794b33a55b617d48
                                                                                                                                                          • Opcode Fuzzy Hash: 95149da0a422b14dbea2cc2f881a6883c8603a19f154dd3468e445edae0997dc
                                                                                                                                                          • Instruction Fuzzy Hash: 2F81A560408BC18ED722CF3C8588646BFA16B27224F4887CDD8E94F3DBC365D556D7A6
                                                                                                                                                          Function 00440AE9 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 79COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                          • String ID: 2$C$J$K$M$Q$U$X$[$[$n
                                                                                                                                                          • API String ID: 2610073882-1972926546
                                                                                                                                                          • Opcode ID: c86c8a7c5d2a210e35a617d56914707fa0ada04b18f6b57b809ba11c0acae104
                                                                                                                                                          • Instruction ID: 130a690b0b646608de2fea0cc9c969e80f28811188b67cc3c3cffb1e2e87c6fb
                                                                                                                                                          • Opcode Fuzzy Hash: c86c8a7c5d2a210e35a617d56914707fa0ada04b18f6b57b809ba11c0acae104
                                                                                                                                                          • Instruction Fuzzy Hash: 5641D26410D7C1CEE3729B288858B8FBFE1ABA6224F084B5DD4E94B2D2C7755549CB23
                                                                                                                                                          Function 004431FA Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 79COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                          • String ID: A$H$O$S$l$m$r$w$}$}
                                                                                                                                                          • API String ID: 2610073882-1206721304
                                                                                                                                                          • Opcode ID: 75cc9a8a0f8ddc50f916c27c16de6402d2845fd0f562e019fe4923f129a28185
                                                                                                                                                          • Instruction ID: 1bdc5e519b3a1c10a0f4776a38e31b909fb3bc484007d58397f9e8e6413b6536
                                                                                                                                                          • Opcode Fuzzy Hash: 75cc9a8a0f8ddc50f916c27c16de6402d2845fd0f562e019fe4923f129a28185
                                                                                                                                                          • Instruction Fuzzy Hash: 9841F770508B81CFD715DF38C48860ABFA0AF12224F088A8CD8EA4F797D775E515CBA2
                                                                                                                                                          Function 00442C0F Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 73COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                          • String ID: A$H$O$S$l$m$r$w$}$}
                                                                                                                                                          • API String ID: 2610073882-1206721304
                                                                                                                                                          • Opcode ID: a3c255f071028f88cb89dcd47e81a9b8dabd04e6fb9c431a5bcb53b639b5f0c6
                                                                                                                                                          • Instruction ID: ffff510a9603b7a21459f1ef397e1213e82b85fa1d216bf03efce6e448faae42
                                                                                                                                                          • Opcode Fuzzy Hash: a3c255f071028f88cb89dcd47e81a9b8dabd04e6fb9c431a5bcb53b639b5f0c6
                                                                                                                                                          • Instruction Fuzzy Hash: 4341D720409B81CED725DF2C858460ABFE06F16224F488A8CE8EA4F797D375E515CBA2
                                                                                                                                                          Function 00443561 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 95COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                          • String ID: !$#$%$'$)$+$-$/$1$3
                                                                                                                                                          • API String ID: 1927566239-2331977360
                                                                                                                                                          • Opcode ID: a74af8396c1682266e089c0487ce6037a9c8d3113e0d9eda75be2e06ff6a63f9
                                                                                                                                                          • Instruction ID: ee2f474e67f111082cefe67d3a0d52cb7bb2bf9376e94c587a8d0c8950ec508c
                                                                                                                                                          • Opcode Fuzzy Hash: a74af8396c1682266e089c0487ce6037a9c8d3113e0d9eda75be2e06ff6a63f9
                                                                                                                                                          • Instruction Fuzzy Hash: 294137700087818EE716CF28D498756BFE0AB16324F08869DD8EA4F397C7B5D549CBA6
                                                                                                                                                          Function 00442E03 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 81COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                          • String ID: !$#$%$'$)$+$-$/$1$3
                                                                                                                                                          • API String ID: 1927566239-2331977360
                                                                                                                                                          • Opcode ID: 7ff96beb149720abc111d5a4a325261476aa5289834bc39e08dae04d264503ea
                                                                                                                                                          • Instruction ID: b6ef5648cfd053ab5c5235084f9802aba959b3e2c74c52f1b60c56c7b8547c4f
                                                                                                                                                          • Opcode Fuzzy Hash: 7ff96beb149720abc111d5a4a325261476aa5289834bc39e08dae04d264503ea
                                                                                                                                                          • Instruction Fuzzy Hash: 4241D4700087818ED722DF28D488716BFE06B2A314F0886DDD8E94F397C7B5D519DBA6
                                                                                                                                                          Function 00441886 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 68COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                          • String ID: 1$3$5$7$9$=$>
                                                                                                                                                          • API String ID: 1927566239-1319780741
                                                                                                                                                          • Opcode ID: 6f2094598513e7550a03f6de29a60b2461d009f1d2ba03ca284aaea2ce77932f
                                                                                                                                                          • Instruction ID: c44d57db78e0c69fe059c13c49a2fdb18f88503187e5edcbd4511c05639c99f3
                                                                                                                                                          • Opcode Fuzzy Hash: 6f2094598513e7550a03f6de29a60b2461d009f1d2ba03ca284aaea2ce77932f
                                                                                                                                                          • Instruction Fuzzy Hash: 1D41E57050C7C1CAE332DB2894987DABBE4AB96314F044D5ED4DD873A2C7744645CB53
                                                                                                                                                          Function 00434A8B Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 239COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DrivesLogical
                                                                                                                                                          • String ID: *q$uz$v~${=
                                                                                                                                                          • API String ID: 999431828-1084862487
                                                                                                                                                          • Opcode ID: e9e420dfd96ea913758df60c8637ea870d377622629703d560ee7e654dce59ef
                                                                                                                                                          • Instruction ID: 30a67f2b7f7586c8fca400b8d5c5678188133c4e8870100d16f5c5fbd868d992
                                                                                                                                                          • Opcode Fuzzy Hash: e9e420dfd96ea913758df60c8637ea870d377622629703d560ee7e654dce59ef
                                                                                                                                                          • Instruction Fuzzy Hash: CC912FB4900716DFDB04CF55D8C06AEBB72FF99305F1456A8C8552B355D738A822CF88
                                                                                                                                                          Function 00442141 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                          • String ID: "$.
                                                                                                                                                          • API String ID: 2610073882-3921061877
                                                                                                                                                          • Opcode ID: 3ce6da7747e4e3dd6ce4cd4fa46f262ded4de983bf5cdf44ddf92e7ba425ef2b
                                                                                                                                                          • Instruction ID: 48845c4405efb13bb663090461cc0c2e34938c2ce4129b6ba2c3fd8b1ff134bd
                                                                                                                                                          • Opcode Fuzzy Hash: 3ce6da7747e4e3dd6ce4cd4fa46f262ded4de983bf5cdf44ddf92e7ba425ef2b
                                                                                                                                                          • Instruction Fuzzy Hash: D741A36010C7C2CED331DB389448B9EBFE0ABA6224F048EAEE4E9576D2D7705545DB63
                                                                                                                                                          Function 0044B388 Relevance: 6.0, APIs: 4, Instructions: 11COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3341692771-0
                                                                                                                                                          • Opcode ID: bfa343473436edd852ff6df2bfe459c5d571fa3cfc1c8186f5e9bdc9b0907b6d
                                                                                                                                                          • Instruction ID: fb02b0fc5b2f76077eedd25fc6691441f12c6c4511a0ba04d9f55f64451c9c4a
                                                                                                                                                          • Opcode Fuzzy Hash: bfa343473436edd852ff6df2bfe459c5d571fa3cfc1c8186f5e9bdc9b0907b6d
                                                                                                                                                          • Instruction Fuzzy Hash: D8C04CB2C11238E79611B7716D8482F3F2DA9496627056476E505630134A78BC019FE6
                                                                                                                                                          Function 0044B56D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27comCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoCreateInstance.OLE32(00459100,00000000,00000001,004590F0,00000000), ref: 0044B5B3
                                                                                                                                                          • CoCreateInstance.OLE32(00459100,00000000,00000001,004590F0,00000000), ref: 0044B5FF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_3_2_410000_BitLockerToGo.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                          • String ID: \
                                                                                                                                                          • API String ID: 542301482-2967466578
                                                                                                                                                          • Opcode ID: 83255310e8ef5e9bc3da65fadfa657208b4c75eed6e810e1c1971af16d651779
                                                                                                                                                          • Instruction ID: bd0631b28111de4514daba0a234969274d3a5cacd2c2c29cbf99a720c2c10886
                                                                                                                                                          • Opcode Fuzzy Hash: 83255310e8ef5e9bc3da65fadfa657208b4c75eed6e810e1c1971af16d651779
                                                                                                                                                          • Instruction Fuzzy Hash: B70102B0148301EEE310CF00D859B4BBAE4BB80B16F10881DF5945A1D1C7FA954CCF9A