Edit tour

Windows Analysis Report
LisectAVT_2403002A_476.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_476.exe
Analysis ID:	1482217
MD5:	642e53c26caa22594f194d6fd6f741d2
SHA1:	6841a765638a5c14ce3d72d659648cda1a0994d1
SHA256:	f7299491506a4658453d0614c307687d24a5af81d97140e7d8767c5421ce3b24
Tags:	exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_476.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_476.exe" MD5: 642E53C26CAA22594F194D6FD6F741D2)

BitLockerToGo.exe (PID: 3236 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "lighterepisodeheighte.fun"], "Build id": "VcS1Q5--newfile"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_476.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2353353315.000000C001082000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000002.2358502353.00007FF629174000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000001.00000000.2150034423.00007FF629174000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: LisectAVT_2403002A_476.exe PID: 4508	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T19:38:19.324971+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fun) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.231012+0200
SID:	2051470
Source Port:	49490
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.241456+0200
SID:	2050998
Source Port:	53603
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.312245+0200
SID:	2050956
Source Port:	64458
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T19:38:56.937258+0200
SID:	2022930
Source Port:	443
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.322115+0200
SID:	2050952
Source Port:	64837
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.301510+0200
SID:	2050953
Source Port:	54381
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.283519+0200
SID:	2051473
Source Port:	50925
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.252967+0200
SID:	2050955
Source Port:	53573
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T19:38:22.265044+0200
SID:	2050996
Source Port:	58716
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_476.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://lighterepisodeheighte.fun/api	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/	Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/api	Avira URL Cloud: Label: malware
Source: https://pooreveningfuseor.pw/api/api	Avira URL Cloud: Label: malware
Source: technologyenterdo.shop	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/apisf	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop//	Avira URL Cloud: Label: malware
Source: https://pooreveningfuseor.pw/api	Avira URL Cloud: Label: malware
Source: associationokeo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.BitLockerToGo.exe.600000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "lighterepisodeheighte.fun"], "Build id": "VcS1Q5--newfile"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: associationokeo.shop
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pooreveningfuseor.pw
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: detectordiscusser.shop
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: problemregardybuiwo.fun
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lighterepisodeheighte.fun
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: technologyenterdo.shop
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lighterepisodeheighte.fun
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VcS1Q5--newfile

Source: LisectAVT_2403002A_476.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_476.exe, 00000001.00000002.2349220183.000000C0007F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345604969.000002A25EA40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000002.2350737713.000000C00082E000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345642713.000002A25EA00000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2346300993.00000000007C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_476.exe, 00000001.00000002.2349220183.000000C0007F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345604969.000002A25EA40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000002.2350737713.000000C00082E000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345642713.000002A25EA00000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2346300993.00000000007C0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	3_2_0060A560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ecx-08h], CCC8066Ah	3_2_006317F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000128h]	3_2_0061504F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	3_2_00617031
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 0AB35B01h	3_2_0061418B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00616266
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0061F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	3_2_0061F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	3_2_006332E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	3_2_00619350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	3_2_006343C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edx+ebp], al	3_2_00603390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc edi	3_2_006125E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0062466A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0062466A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	3_2_0061B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], A352EDFDh	3_2_0061B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ebx]	3_2_0063276D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax], 0000h	3_2_006137F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+000001B0h], 00000000h	3_2_006147AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	3_2_006088C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	3_2_0061E960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+40h]	3_2_0062095B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi], ebp	3_2_006019D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx+ebp], bl	3_2_006089A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00624A1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	3_2_00618AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	3_2_00621B6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	3_2_00621B6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	3_2_00609C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], dl	3_2_00622C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], dl	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ecx+eax+01h], 00000000h	3_2_00611CFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_00632C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00623DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00623DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+60h]	3_2_00617E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00617E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	3_2_00616EA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000BCh]	3_2_0061BF40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: problemregardybuiwo.fun
Source: Malware configuration extractor	URLs: lighterepisodeheighte.fun
Source: Malware configuration extractor	URLs: technologyenterdo.shop
Source: Malware configuration extractor	URLs: lighterepisodeheighte.fun

Source: unknown	DNS traffic detected: query: problemregardybuiwo.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lighterepisodeheighte.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: technologyenterdo.shop replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: lighterepisodeheighte.fun
Source: global traffic	DNS traffic detected: DNS query: technologyenterdo.shop
Source: global traffic	DNS traffic detected: DNS query: problemregardybuiwo.fun
Source: global traffic	DNS traffic detected: DNS query: detectordiscusser.shop
Source: global traffic	DNS traffic detected: DNS query: edurestunningcrackyow.fun
Source: global traffic	DNS traffic detected: DNS query: pooreveningfuseor.pw
Source: global traffic	DNS traffic detected: DNS query: turkeyunlikelyofw.shop
Source: global traffic	DNS traffic detected: DNS query: associationokeo.shop

Source: LisectAVT_2403002A_476.exe	String found in binary or memory: http://beego.me/docs/advantage/monitor.md
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: http://beego.me/docs/module/toolbox.md
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: http://man7.org/linux/man-pages/man5/machine-id.5.htmlSpec
Source: BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/
Source: BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//
Source: BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/api
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/apisf
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://database.usgovcloudapi.net/Items
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/api
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/S
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/api
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/api:
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/apidl
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/~
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdAPIVersions
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdContainer
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdList
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdPersistentVolume
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdResourceClaimName
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itOptional:
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itgroup
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-ituser
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podA
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podIngress
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podWhether
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podpodIPs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.mdIf
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.mdRegisting
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itA
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itForce
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itGo
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itName
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md(?
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-cont
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotencyContr
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataAPIVersi
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataFlexPers
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataIndicate
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataName
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataStatus
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadatalimit
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadatareadOnly
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcesStatefu
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusG
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusH
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusI
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusK
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusL
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusM
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusN
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusR
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusS
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusT
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusW
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusa
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusp
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statust
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindscurre
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsresou
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsvolum
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.mdSecretReference
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-classNamespace
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.mdEntrypoint
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwordsreadOnly
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/strict-mode
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/kubernetes-sigs/windows-gmsa)
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/otan/gopgkrb5cannot
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/d
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://gohugo.io/methods/page/path/readOnly
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://golang.org/doc/faq#nil_errorcannot
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://golang.org/pkg/unicode/#IsPrint.
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2346989260.000000C000036000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://iamcredentialsembedded/angular2.xmlproto:
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://issues.k8s.io/61966Path
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/architecture/nodes/#capacity
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/The
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/If
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/Represents
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/The
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/nodeAffinity
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesValue
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/secretID
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/secretIPFamilyPolicy
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooksHostProcess
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/images
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/images.PodSecurityContext
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-podSchedulin
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/imagesOS
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#addresses
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#conditionKind
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#infomust
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#phase
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations(?
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsImmutable
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorslocalhostPr
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labelsThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesRepresents
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesVerbs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsReceived
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names0?
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#namesstoragePolicyID
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uidsSpecifies
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/Deprecated:
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/DeprecatedServiceAccoun
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespacesmode
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/policy/resource-quotas/List
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/policy/resource-quotas/secretRef
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/policy/resource-quotas/volumeName
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-serviceMaxSkew
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-typesco
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeportUse
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies(?:(
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesClus
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesSpec
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesdata
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/An
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1Status
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modesemptyDir
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityHost
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1Please
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesOwnerReference
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesTTY
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsA
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsName
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsPeriodic
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsServiceAccount
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-optionsDeprecated.
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumesItems
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumesfsType
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstoreBounded-sized
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstoremountOptions
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstoreordinals
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#emptydirglusterfs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#emptydirmatchLabels
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#emptydirpersistentVolumeReclaimPolicy
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskStatus
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskWhenScaled
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskpersistentVolumeClaimVolumeSour
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#hostpathA
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#hostpathName
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#hostpathThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#iscsi(?=
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfsDeprecated.
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfsResources
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfsverbs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#rbdEstimated
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#secret
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#secretmonitors
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumesSpecifies
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/Represents
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/glusterfs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/spec
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-ow
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/EndpointSubset
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/If
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/Route
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templateTolerati
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templatekind
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicatio
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicati
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontrollerHostAlias
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesCount
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesMemory
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesSpecifies
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesstatus
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-statusLimits
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsA
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsIf
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsMinimum
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phaseThe
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policySupports
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classesversion
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/Pod
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/secretFile
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/GroupVersion
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/Estimated
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/
Source: BitLockerToGo.exe, 00000003.00000002.2348525768.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/api
Source: BitLockerToGo.exe, 00000003.00000002.2348525768.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/apiZ
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/j
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://management.azure.comproto.HydratedTemplateButtongob:
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netk8s.io.api.apps.
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://management.core.windows.net/https://management.chinacloudapi.cn/https://servicebus.chinaclou
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://microsoftgraph.chinacloudapi.cnk8s.io.api.apps.v1.StatefulSetConditionsucceeded
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://ossrdbms-aad.database.windows.nethttps://management.core.chinacloudapi.cn/https://ossrdbms-a
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api/
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api/api
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://pr.k8s.io/79391
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://technologyenterdo.shop/
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://technologyenterdo.shop/api48
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://tools.ietf.org/html/rfc4648#section-4Expanded
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/R
Source: BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/api
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.com&ControllerRevisionList
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://web.whatsapp.comserver
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://www.iana.org/assignments/service-names).
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc6455
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc7540

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00628090 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_00628090

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2353353315.000000C001082000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00616010 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00616010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00634090 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00634090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006341A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006341A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006314BF NtOpenSection,	3_2_006314BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006316EC NtMapViewOfSection,	3_2_006316EC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006317F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006317F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006319B2 NtClose,	3_2_006319B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00633EB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00633EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00630E9D NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00630E9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061B06E NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061B06E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006190C1 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006190C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006300A0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtFreeVirtualMemory,	3_2_006300A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062513A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062513A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006171B9 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006171B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061418B NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061418B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061F212 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006342B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006342B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006343C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006343C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061E3B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061E3B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061C3B8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061C3B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006163BC NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006163BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061E4F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061E4F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061C4BB NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061C4BB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00634530 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00634530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006215A3 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_006215A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00634820 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00634820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061A8E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061A8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062F880 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062F880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061F930 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061AAF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0061AAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062FB40 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062FB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00613B44 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00613B44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00617B38 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00617B38
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00619B1C NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00619B1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00634B90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00634B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062DC00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062FCA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062FCA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062FD90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062FD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00624EE6 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00624EE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00616EA2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00616EA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00624FDC NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00624FDC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062FF90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0062FF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00634F90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00634F90

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0060A7C0	3_2_0060A7C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00601000	3_2_00601000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062513A	3_2_0062513A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00606200	3_2_00606200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062520B	3_2_0062520B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061F212	3_2_0061F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006252A9	3_2_006252A9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00603390	3_2_00603390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00605450	3_2_00605450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00611600	3_2_00611600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061B6E2	3_2_0061B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_006067F0	3_2_006067F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00604820	3_2_00604820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00612823	3_2_00612823
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061F930	3_2_0061F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0062D9A0	3_2_0062D9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00608B60	3_2_00608B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00634B90	3_2_00634B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00622C15	3_2_00622C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00623DC0	3_2_00623DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00617E5F	3_2_00617E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00603E20	3_2_00603E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00607E10	3_2_00607E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00602FB0	3_2_00602FB0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 006091B0 appears 146 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 006088A0 appears 44 times

Source: LisectAVT_2403002A_476.exe

Static PE information: Number of sections : 12 > 10

Source: LisectAVT_2403002A_476.exe, 00000001.00000003.2345604969.000002A25EA40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_476.exe
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2364530910.00007FF629DEE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename2024archivefrapendiente.exe`> vs LisectAVT_2403002A_476.exe
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2350737713.000000C00082E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_476.exe
Source: LisectAVT_2403002A_476.exe, 00000001.00000003.2345642713.000002A25EA00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_476.exe
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2350737713.000000C000800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_476.exe

Source: 00000001.00000002.2353353315.000000C001082000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: LisectAVT_2403002A_476.exe

Binary string: flate: maxBits too largeGetProcessImageFileNameWinvalid tracestate value\Device\NamedPipe\cygwinstreamSafe was not resetREFUND_FAILED_PROCESSINGVERIFIED_INITIAL_UNKNOWNGROUP_CHANGE_INVITE_LINKGROUP_CHANGE_DESCRIPTIONGROUP_PARTICIPANT_REMOVEGROUP_PARTICIPANT_DEMOTEGROUP_PARTICIPANT_INVITEINDIVIDUAL_CHANGE_NUMBERBIZ_MOVE_TO_CONSUMER_APPGROUP_V4_ADD_INVITE_SENTCHANGE_EPHEMERAL_SETTINGproto.HydratedCallButtonproto.SendPaymentMessageproto.GroupInviteMessagenon-empty decoder bufferencodeArray: nil elementno multiplexing ID foundUnknown address type: %sNested channel(id:%d) %sMalformed method name %qBad 'interval' param: %sTotal number of mallocs.key %q is not lower caseinvalid argument type %Tinvalid field number: %dcould not resolve %q: %vItems is a list of Roles&ClusterRoleBindingList{^[A-Za-z_][A-Za-z0-9_]*$gorm:skip_query_callbacktimestamp with time zoneprimary key can't be nilgorm:started_transactionexpected a slice, got %TValue kind is %s, not %sGODEBUG sys/cpu: value "", required CPU feature

Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2349220183.000000C000491000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .wsdlfilenameOOoo.wsffilename<<<.svgfilenameOOoo.csprojfilename09afXXxx*.vcxproj
Source: LisectAVT_2403002A_476.exe	Binary or memory string: <filename>*.csproj</filename>
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2349220183.000000C000491000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *.csprojfilename0

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@8/0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00627386 CoCreateInstance,

3_2_00627386

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

File created: C:\Users\Public\Libraries\mglma.gif

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

File opened: C:\Windows\system32\7b7600f42b90b75a1133e4fc8162cb697a76f3cc4919801519df0856f7084897AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: LisectAVT_2403002A_476.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_476.exe	String found in binary or memory: baseProfiletter-spacinglyph-orientation-verticalignment-baseline-shiftext-anchorx1buffered-renderingclip-patheightext-decorationclip-rulenable-backgroundisplay1contentScriptTypecontentStyleTypecursory2fill-ruleflood-color-interpolation-filterscriptext-renderingflood-opacitypefont-familyfont-size-adjustop-colorfont-stretchrefeImagefont-stylefont-variantfont-weightforeignObjectimage-renderingmarker-endominant-baselinemarker-midmarker-startmaskerningmetadatamissing-glyph-orientation-horizontalighting-color-profilepatternpointer-eventshape-renderingpointsolid-color-renderingpolygonpolylinepreserveAspectRatioverflowhite-spacestop-opacitystroke-dasharraystroke-dashoffsetstroke-linecapaint-orderstroke-linejoinstroke-miterlimitstroke-opacitystroke-widthsvgswitchsymbolunicode-bidirectionusevector-effectversionviewBox2viewport-fill-opacityvisibilityword-spacingwriting-modefsolid-opacityxml:space
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: -ms-filteradial-gradientext-emphasis-colorgbackground-attachmentext-indentext-justify-contentext-kashida-spacelevationavajowhitext-decoration-line-heightext-overflow-xx-largerichnessaddlebrowno-repeat-yanimation-namespacenteruby-overhangainsborosybrownanimation-play-statext-align-lastresscrollbar-arrow-coloruby-positionanimation-timing-functionazimuthoneydeword-breakbackground-originclude-sourcebackground-position-xbackground-position-ybackground-repeat-xbackground-sizebehaviorblackblanchedalmondarkblueboldarkcyanimation-delayer-background-colorborder-bottom-colorborder-bottom-stylemonchiffont-faceborder-bottom-widthslavenderblushborder-box-shadoword-spacinghostwhitext-decoration-colorborder-collapseashellawngreenborder-colorborder-left-colorborder-left-styleborder-left-widthborder-right-colorborder-right-styleborder-right-widthborder-spacingrid-areanimation-durationormalphacceleratorphansandybrownonempty-cellsans-serifantasyborder-styleborder-top-colorborder-top-styleborder-top-widthborder-widthburlywoodarkgoldenrodarkgraycaption-sideepskybluecaret-colorchartreusechocolatext-autospaceclampadding-boxclearcolumn-counter-resetransition-propertycolumn-rule-colorcolumn-rule-stylecolumn-rule-widthcolumn-widthcornflowerbluecornsilkcue-aftercue-beforestgreenvisibilitycurrentcolorcursivecursordarkvioletdocumentdodgerbluedpcmargin-topadding-rightdpitch-rangedppxflex-growflex-shrinkflex-wrapadding-topage-break-afterfloattransition-delayer-background-imagefloralwhitesmokeyframescrollbar-dark-shadow-colorfont-familyfont-size-adjustify-itemscrollbar-face-colorfont-stretcharsetfont-stylefont-variantiquewhite-spacefont-weightfuchsianimation-fill-modeeppinkhz-indexx-smalleroyalbluegrid-column-gapage-break-beforegrid-column-startgrid-row-endarkolivegreengrid-row-gapage-break-insidegrid-row-startgrid-template-areascrollbar-track-colorgrid-template-columnsolidarkorangeredarkgreenyellowgreengrid-template-rowspeak-headerimportantinheritinitialicebluevioletter-spacingrid-auto-columnscrollbar-highlight-colorinvertical-align-itemspeak-numeralayout-grid-char-spacingrid-auto-flowjustify-selfirebricklayout-grid-line-breaklayout-grid-modegrid-auto-rowscrollbar-shadow-colorlayout-grid-typeachpufflex-basiscrollbar-base-colorlightbluelightcoralign-selflex-directionlightcyanimation-directionlightgoldenrodyellowlightgraylightgreenlightpinklightsalmonlightseagreenlightskybluelightslatebluelightsteelbluelightyellowlimegreenlinear-gradientlist-style-imagelist-style-positionlist-style-typelocalcadetbluemaskmax-heightmax-widthmediumaquamarinemediumbluemediumorchidarkorchidarkkhakime-modefaultransition-timing-functionmediumpurplemediumseagreenmediumslatebluemediumspringgreenmediumturquoisemediumvioletredarksalmonospacemidnightbluemin-heightmin-widthmintcreamarker-offset-anchormistyrosemmarkspeak-punctuationmoccasindianredarkseagreenoffset-distanceoffset-pathoffset-positionoffset-rotatext-decoration-styleolivedrabackground-clipadding-bottomargin-rightransition-durationoutline-coloroutl
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: ipconfigfc00::/7ff00::/8100::/64yamux:%sbalancerchannelz%s -> %scode: %smax_idleerrs<10serrs<10merrs<10hall timedistTmplseveritymemstatsGODEBUG=tdewolffMin %s%sMax %s%scalendardemotypeRSS homelayouts/keywordsTopRightGaussianBlackmanBartlettmodifiedassoc-ifbit-nandbit-orc1bit-orc2char-intclass-ofcomplexpcopy-seqcount-ifdescribefceilingimagpartintegerpkeywordpldb-testlogandc1logandc2logcountmap-intomismatchnbutlastnoteverynreversepackageppathnamepositionproclaimrationalrealpartstring<=string>=string/=subst-ifsubtypeptruenameunexportuninterny-or-n-pmacroletdefclassdefmacrotypecaseoptimizesequencecl-blockcl-callfcl-defuncl-ecasecl-fletcl-letfcl-progvcl-psetfcl-psetqdefgroupdefsubstdefthemenoreturndefconstautoloadcar-safecdr-safecharsetpcommandpcopysigndowncasefile-aclfont-getfont-putgap-sizeget-bytemapatomsmax-charoverlaypprocessppurecopyrecentersetplisttime-addtty-typeuser-uiddefaliasfeaturephtml+kid.sveltepackage \{(?=\s)\s+#.\n/[^\s#]variable[^#$\s]+0b[01_]+abstract\.[0-9]+(?:if)\b(?:do)\b(?:in)\bdo-whilecase-sepcall-sep[^\\\s]+wheneverCallablecompilerCompUnitCX::WarnCX::TakeCX::RedoCX::NextCX::LastCX::EmitCX::DoneEncodingIO::PathIO::PipeIO::SpecIterableIteratorJunctionlonglongRationalSequenceSupplierSystemicVariableWhateverabsoluteaccessedadd_roleaddendumallocateantipairarchnameassumingbail-outbasenameBIND-KEYBIND-POSbind-udpcallsamecallwithclassifycodenamecomposercontainscontentscurupdirdaycountDEFINITEdefiniteEVALFILEexitcodeexpectedFALLBACKhardwarehh-mm-ssinfinitecicumfixinvocantis-primeiteratorlastcalllives-okmaxpairsminpairsnew_typenextsamenextwithon-closeos-errorpackagespath-sepprematchprint-nlprint-topull-onepush-allrelativeRUN-MAINsamecasesamemarksamewithset_nameset_authshort-idsink-allskip-onesplitdirsubparsetertiarythrottletimezoneto-posixtrailingtypenameundefineunimatchuninamesuniparseunipropswordcasewrite-to#[^\n]$(:)(\w+)\$[/!
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraDeprecatedOther_MathRIPEMD-160.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOTtable nameone_outputUSERDOMAINres binderres masterresumptionexp masterConnectionlocal-addrimage/webpaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookie; HttpOnlybytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: bad kind: %sunknown nameavx5124fmapsavx512bitalgempty objectraw-protobufplugin.protologrus_errorPdhOpenQuerynotificationmessage_infomatched-textannouncementfirst_usable192.0.2.0/242001:10::/2864:ff9b::/96192.0.0.0/29192.0.0.0/24plugin.EmptyListenSocketNormalSocketgrpc-messagegrpc-timeoutGrpc-Messagesitemapindextaxonomytermadjust-arrayalpha-char-papropos-listassoc-if-notbit-vector-pchange-classclear-outputcompile-filecount-if-notdecode-floatdigit-char-pfill-pointerfind-packagefind-restartfloat-digitsforce-outputhash-table-pintersectionlower-case-pmachine-typemake-packagepackage-nameprint-objectrestart-nameslot-missingslot-unboundstring-equalstring-lesspsubst-if-notsymbol-plistsymbol-valueupper-case-pwrite-stringdefparameterhandler-bindhandler-caserestart-bindrestart-case&environmentsingle-floatdouble-floatsimple-arrayreader-errorstream-errorunbound-slotrandom-statecl-defstructcl-etypecasecl-eval-whendefvar-localdont-compilelexical-letoref-defaultoset-defaultpcase-dolistwith-timeoutsetq-defaultassoc-stringcall-processcase-table-pchar-charsetchar-table-pclear-stringcolor-gray-pcurrent-timedelete-fielddelete-framedo-auto-saveerase-bufferfield-stringfont-match-pfontset-fontfontset-infofontset-listforward-charforward-lineforward-wordframe-live-pgap-positionimage-mask-pkill-processload-averagelookup-imagemake-overlaymemory-limitmove-overlaymsdos-memgetmsdos-memputother-bufferplist-memberpoint-markerprocess-listprocess-markprocess-nameprocess-typequit-processread-commandredraw-frameregexp-quotescroll-rightselect-frameset-file-aclstop-processstring-bytesstring-matchstring-widthsyntax-tablesystem-userswidget-applywindow-edgeswindow-framewindow-pointwindow-startwrite-regionx-list-fontsx-popup-menutext/x-gosrctext/x-perl6subdirectivenested_block[^\s#{}$\]]+^\s(\{)\s$attr-dstringattr-sstring(?:import)\bimport-identpreproc-exprtypedef-bodybracket-openclass-memberclass-method(function)\bprop-get-set(?:switch)\b(?:return)\barray-access^(#[^#].+\n)(?<!['\w:-])(?<=^\|\b\|\s)CancellationDistributionIO::ArgFilesPod::HeadingWhateverCodeexperimentalaccepts_typeadd_fallbackapp_lifetimeatomic-fetchcombinationscomposalizercompose_typedid-you-meandone-testingeval-dies-okexcludes-maxexcludes-minfull-barrierhas_accessorpostcirumfixis-leap-yearload-repo-idmethod_tablenativesizeofpackage-kindpermutationspush-exactlyread-uint128redispatcherreplace-withroutine-typeset_is_mixinsubst-mutatetotal-memorytrim-leadingtruncated-towhole-secondwrite-int128write-uint16write-uint32write-uint64metaoperatorsubstitutionsingle-quote[<>,:=.%+\|][{}()\[\]\\][\w"\-!/&;]+LITE_RUNTIMESTRING_PIECE%v: %v => %v(database)s$macroman_binarmscii8_binserverPubKeywriteTimeoutError %d: %sUNSIGNED INTSERIALIZABLEtx is closedserializableAWS StandardAWS ISO (US)ca-central-1eu-central-1eu-central-2il-central-1me-central-1auditmanagercodeartifactcodecatalystcodepipelinecognito-synccontact-lenscontroltowerdata-ats.iotdataexchangedatapipelinefinspace-apiimportexportiotanalyticsiotfleetwiseiottwinmakerkafkaconnect
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: ULwesithathuDownArrowBarDownTeeArrowExponentialEGreaterEqualGreaterTildeHilbertSpaceHumpDownHumpIntersectionLeftArrowBarLeftTeeArrowLeftTriangleLeftUpVectorNotCongruentNotLessEqualNotLessTildeProportionalRightCeilingRoundImpliesShortUpArrowSquareSubsetUnderBracketVerticalLineblacklozengeexponentialerisingdotseqtriangledowntriangleleft<![endif]-->fill-opacityfont-stretchfont-variantmarker-startstop-opacitystroke-widthunicode-bidiword-spacingwriting-modeminify-out-*bad Tc valuebad Th valuebad Tq valuebad Pq valuebad Td valuebad Ta value#ansidarkred#ansifuchsia%02x%02x%02xusingbygroupExposureTimeMeteringModeExposureModeWhiteBalanceGPSVersionIDGPSLongitudeGPSTimeStampGPSSatelitesGPSDateStampsigned shortserver errorBindComplete<(%s,%s),%s>_timestamptzCoInitializeRoInitializemonokailightparaiso-darkrainbow_dashalgol_nu.xmlcolorful.xmldoom-one.xmlfriendly.xmllovelace.xmlpygments.xmlinvalid JSONVariableDeclArgumentDeclStmt(switch ...Binding((new.target)if statement%sRawText: "^[ ]{0,3}<\?NotHumpEqualvarsubsetneqvarsupsetneqECMABoundary, unindex = Windows 1250Windows 1251Windows 1252Windows 1253Windows 1254Windows 1255Windows 1256Windows 1257Windows 1258FootnoteLinkFootnoteListTaskCheckBoxTOO_MANY_FOOlevel 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameparsing time out of range in duration is too largeDeleteServiceStartServiceWFindResourceWGetDriveTypeWModule32NextWThread32FirstRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodWTSFreeMemoryFindFirstFileWSACloseEventgethostbyaddrgetservbyportWSAResetEventWSAIsBlockingSysFreeStringSafeArrayLockSafeArrayCopyVarI2FromDateVarI2FromDispVarI2FromBoolVarI4FromDateVarI4FromDispVarI4FromBoolVarR4FromDateVarR4FromDispVarR4FromBoolVarR8FromDateVarR8FromDispVarR8FromBoolVarDateFromI2VarDateFromI4VarDateFromR4VarDateFromR8VarDateFromCyVarCyFromDateVarCyFromDispVarCyFromBoolVarBstrFromI2VarBstrFromI4VarBstrFromR4VarBstrFromR8VarBstrFromCyVarBoolFromI2VarBoolFromI4VarBoolFromR4VarBoolFromR8VarBoolFromCyVarUI1FromStrCreateTypeLibClearCustDataLoadTypeLibExVarDecFromUI1VarDecFromStrVarDateFromI1VarBstrFromI1VarBoolFromI1VarUI1FromUI2VarUI1FromUI4VarUI1FromDecVarDecFromUI2VarDecFromUI4VarI1FromDateVarI1FromDispVarI1FromBoolVarUI2FromUI1VarUI2FromStrVarUI2FromUI4VarUI2FromDecVarUI4FromUI1VarUI4FromStrVarUI4FromUI2VarUI4FromDecBSTR_UserSizeBSTR_UserFreeVarI8FromDateVarI8FromDispVarI8FromBoolVarDateFromI8VarBstrFromI8VarBoolFromI8VarUI1FromUI8VarDecFromUI8VarUI2FromUI8VarUI4FromUI8VarUI8FromUI1VarUI8FromStrVarUI8FromUI2VarUI8FromUI4VarUI8FromDecOMAP From SrcInterfaceImplStandAloneSigAssemblyRefOSEFI byte codeMIPS with FPUDebugStrippedHighEntropyVAEFI ROM imageRISC-V Low12sMIPS JMP AddrRISC-V Low 12Albanian (sq)Armenian (hy)Assamese (as)Corsican (co)Croatian (hr)Estonian (et)Galician (gl)Georgian (ka)Gujarati (gu)Japanese (ja)Kashmiri (ks)Konkani
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: /debug/events=... setting.unpublishdateinput was nilalphanumericpbyte-positionchar-downcasechar-greaterpdelete-if-notdeposit-fielddocumentationfile-positionfinish-outputmacroexpand-1make-instancemake-pathnamemake-sequencemember-if-notnext-method-pnintersectionnsubst-if-notopen-stream-pparse-integerpathname-hostpathname-namepathname-typepprint-indentpprint-linearrassoc-if-notread-sequenceremove-if-notremove-methodslot-exists-psoftware-typestring-upcasesubstitute-ifunuse-packageignore-errorsextended-charsimple-vectorstandard-charunsigned-bytecontrol-errorpackage-errorprogram-errorstyle-warningstring-streamcl-do-symbolsdefine-advicebackward-charbitmap-spec-pbool-vector-pbuffer-live-pbuffer-stringccl-program-pcharset-aftercharset-plistcopy-sequencedefault-valuedelete-regiondiscard-inputdowncase-wordend-kbd-macrofile-exists-pfile-locked-pget-file-chargnutls-deinitgnutls-errorpiconify-framekeymap-parentkeymap-promptlax-plist-getlax-plist-putmarker-buffermsdos-mouse-poverlay-listsoverlay-startposn-at-pointprocess-plistquery-fontsetread-functionread-variablerename-bufferreplace-matchselect-windowset-quit-charsort-charsetsstart-processsuspend-emacssystem-groupsterminal-listterminal-nametime-subtracttty-top-frameundo-boundaryunify-charsetunlock-bufferupcase-regionuse-local-mapuser-real-uidwindow-bufferwindow-list-1window-live-pwindow-parentwindow-systemx-file-dialogx-focus-framex-select-fontx-synchronizeforward-pointdefine-widgetcl-check-typetext/x-genshi@[^\s]+(?=\s)matcher_token[0-9]+[km]?\b^(\s)(##.)$py:[\w-]+\s=(`)([^`])(`)(?:package)\b(?:typedef)\bstring-singlestring-doublepreproc-errorabstract-bodymeta-call-sepbracket-closeoptional-expr(?:\+\+\|\-\-)bracket-checkhaxe-pre-proc^(#{2,6}.+\n)dynamic-scopeHyperWhateverIO::CatHandleIO::Path::QNXIO::Spec::QNXMONKEY-TYPINGadd_attributeatomic-assignclassify-listdays-in-montheval-lives-okpush-at-leastskip-at-leaststore-repo-idsub_signaturetrim-trailingtype_captureswrite-uint128double-quotesC?X::['\w:-]+escape-c-name(?<=<)[\|!?.]+pod-paragraphpod-formatter-bottom-stack:lang\W+(\w+)[^\\\n\[*`:]+BoxResamplingnot reachablestrings.Join(^(ax\|test)is$(octop\|vir)i$(x\|ch\|ss\|sh)$utf8_czech_ciutf8_roman_cisavepoint sp_amazonaws.comAWS ISOB (US)sc2s.sgov.govapi.detectivedkr-us-east-1dkr-us-east-2dkr-us-west-1dkr-us-west-2api.sagemakerappconfigdatabackupstoragedata.jobs.iotdirectconnectforecastqueryfrauddetectorgroundstationidentitystoreioteventsdataiotroborunnerapi-eu-west-1api-us-east-1api-us-west-2lakeformationlookoutvisionmodels-v2-lexrds.ca-west-1rds.us-east-1rds.us-east-2rds.us-west-1rds.us-west-2resiliencehubrolesanywheres3-external-1servicequotasssm-incidentsaws-cn-globalus-gov-east-1us-gov-west-1us-iso-east-1us-iso-west-1IsPlaceholderReservedNamesassertIntegerreadFieldHashskipFourBytestrySkipStringdecode base64invalid inputstruct Decodeunknown field_grpc_config.LOGGER_CLIENTLOGGER_SERVERvoor ChristusGreenwich-tydMaleisi
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine RegSetValueExWOther_ID_StartPattern_SyntaxQuotation_Markinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: stop log entryconfig_helpers:\w+(\[.+?\])?(line %d:%d): protobuf error[]ClusterRole{ResourceNames:[]RoleBinding{Required valueInternal error%v NOT IN (%v)gorm:row_queryAUTO_INCREMENTVARCHAR(65532)DEFAULT VALUES(%v.%v %s (?))RequestTimeoutRequestExpired_light_yellow_not a data URIinvalid kind: no digits readGetSystemTimesEnumPageFilesWhttp.client_ipnot a PNG file192.168.0.0/16192.88.99.0/24169.254.0.0/162001:0000::/322001:0000::/232001:0200::/48203.0.113.0/24unknown ID: %vhealth_servicegrpc-trace-binshow_sensitivewebappmanifestHannResamplingresampleFilterchar-not-equalchar-not-lesspcopy-readtablecopy-structuredelete-packageget-propertiesgraphic-char-pinput-stream-pinteger-lengthinvoke-restartlong-site-namemacro-functionmake-conditionmake-load-formmuffle-warningno-next-methodnstring-upcasensubstitute-ifpprint-newlinepprint-tabularrandom-state-preadtable-caserename-packagerow-major-arefset-differencesymbol-packagewrite-sequenceunwind-protectdo-all-symbolswith-accessorswith-open-filedynamic-extentsimple-warningbuilt-in-classstandard-classsynonym-streamtwo-way-streamcl-return-frompcase-defmacrowhile-no-inputwith-temp-filecondition-casesave-excursionbacktrace-evalbyte-to-stringcategory-tablechar-to-stringcolor-distancecompute-motioncurrent-buffercurrent-columndbus--init-busdefault-boundpdelete-overlaydelete-processdump-glyph-rowfetch-bytecodefile-regular-pfile-symlink-pfollowing-charfont-drive-otffont-xlfd-nameframe-terminalfunction-equalgfile-rm-watchgpm-mouse-stopgroup-real-gidimage-metadatamake-byte-codemake-temp-namemap-char-tablematching-parenmessage-or-boxmouse-positionmove-to-columnoverlay-bufferposition-bytespreceding-charprevious-frameprocess-bufferprocess-filterprocess-statusrecent-doskeysrecursive-editredraw-displaysearch-forwardselected-frameset-case-tableset-file-modesset-file-timesset-frame-sizeset-input-modeset-match-datasignal-processstring-to-charsyntax-table-ptry-completionunibyte-stringuse-global-mapuser-full-namew32-frame-rectwindow-fringeswindow-hscrollwindow-marginswindow-valid-pwindow-vscrollx-create-framex-display-listx-family-fontsx-get-resourcex-popup-dialog`[a-zA-Z_]\w`embedded/.xmlcomments_pop_1comments_pop_2comments_pop_3\{[\w+.\$-]+\}expr-statement(?:abstract)\b[0-9]+\.[0-9]+0x[0-9a-fA-F]+function-paramfunction-local(?:function)\barray-decl-septype-full-nametype-param-sepIO::Path::UnixIO::Spec::Unixprecompilationadd_enum_valuebase-repeatingchild-typenamecompose_valuesGENERATE-USAGEgenerate_mixinnew-from-pairsprecomp-targetqualifier-typesource-packageverbose-config(>>)(\S+?)(<<)(
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: text/javascripttext/typescriptpageSort.ByDate.File.Extension.Page.File.LangDependencyScopeaggregationRulenonResourceURLsAggregationRuleDuplicate value^[-A-Za-z0-9]+$(?i)^count(.+)$bigint unsignedRETURNING %v.%vEMBEDDED_PREFIX(%v.%v IS NULL)DROP TABLE %v%sResponseTimeoutMissingEndpoint\[[a-z0-9_-]+\]_light_magenta_avx512vpopcntdqinvalid inf.DecPluginPrivilegenet.sock.familybad IHDR lengthbad PLTE lengthbad tRNS lengthbad filter typebad IEND lengthIPv6 wrong size198.51.100.0/24plugin.ConnInfoAuthInfo is nilSERVICE_UNKNOWNunexpected flagunhandled state15:04:05.000000/debug/requestsgoogleanalyticsdisqusshortnamegoldmark.parsermenuSort.ByNameAMP single pageWelchResamplingNearestNeighborarray-dimensioncell-error-namedescribe-objectfile-namestringfile-write-datefloat-precisionhash-table-sizehash-table-testhost-namestringinvoke-debuggermachine-versionmake-hash-tablemerge-pathnamesnset-differenceoutput-stream-ppathname-deviceposition-if-notpprint-dispatchprin1-to-stringprinc-to-stringshort-site-namesimple-string-psimple-vector-pslot-makunboundstandard-char-pstring-downcasestring-greaterpsymbol-functionwild-pathname-pwrite-to-stringload-time-valuesymbol-macroletstandard-methodstandard-objectstructure-classdef-edebug-specdefine-skeletonsave-match-datawith-case-tablewith-file-modeswith-local-quitall-completionsbacktrace-debugbacktrace-framebool-vector-notcapitalize-wordcoding-system-pcompare-stringscompleting-readcopy-hash-tablecurrent-messagedefine-categorydelete-terminaldescribe-vectordirectory-filesdowncase-regionfield-beginningfile-attributesfile-readable-pfile-writable-pfont-get-glyphsforward-commentframe-parameterframe-text-colsframe-visible-pgarbage-collectget-file-buffergetenv-internalgfile-add-watchgpm-mouse-startinput-pending-pinvocation-namekey-descriptionmake-char-tablemarker-positionmatch-beginningopen-termscriptprevious-windowprocess-commandprocess-contactrecursion-depthsearch-backwardselected-windowset-cursor-sizeset-frame-widthstart-kbd-macroterminal-live-ptest-completiontool-bar-heighttrace-redisplaytrace-to-stderrupcase-initialsuser-login-namevertical-motionw32-has-winsockwindow-top-linewindow-use-timex-get-atom-namex-server-vendorxw-color-valuestext/x-markdown\[\<matcher\>\]\d+[Ee][-+]\d+iabstract-opaquetype-struct-septype-param-typeident-or-string^(\s>\s)(.+\n)IO::Path::PartsIO::Path::Win32IO::Spec::Win32ARGS-TO-CAPTUREcalling-packagecategorize-listenum_from_valueenum_value_listexport_callbackmixin_attributeoffset-in-hourspush-until-lazyset-instruments(?<!(?<!\\)\\)"\^\^\|\^\|\$\$\|\$(?<!(?<!\\)\\)<(?<!(?<!\\)\\)>pod-declaration(?<!(?<!\\)\\)'(?<!(?<!\\)\\){@(debug\|html)\b:(catch\|then)\bembedded/al.xmlembedded/c#.xmlembedded/hy.xmlembedded/io.xml^-?\d+\.?\d$%$CubicResamplingRIFF????WEBPVP8NO_SIDE_EFFECTSLEGACY_REQUIREDLENGTH_PREFIXED%d elided lines(alias\|status)$(x\|ch\|ss\|sh)es$(vert\|ind)ices$big5_chinese_cilatin2_czech_csdec8_swedish_ciswe7_swedish_cieuckr_korean_ciutf8_general_cicp1250_czech_csutf8_tolower_ciutf8_unicode_ciutf8_latvian_ci
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: text/javascripttext/typescriptpageSort.ByDate.File.Extension.Page.File.LangDependencyScopeaggregationRulenonResourceURLsAggregationRuleDuplicate value^[-A-Za-z0-9]+$(?i)^count(.+)$bigint unsignedRETURNING %v.%vEMBEDDED_PREFIX(%v.%v IS NULL)DROP TABLE %v%sResponseTimeoutMissingEndpoint\[[a-z0-9_-]+\]_light_magenta_avx512vpopcntdqinvalid inf.DecPluginPrivilegenet.sock.familybad IHDR lengthbad PLTE lengthbad tRNS lengthbad filter typebad IEND lengthIPv6 wrong size198.51.100.0/24plugin.ConnInfoAuthInfo is nilSERVICE_UNKNOWNunexpected flagunhandled state15:04:05.000000/debug/requestsgoogleanalyticsdisqusshortnamegoldmark.parsermenuSort.ByNameAMP single pageWelchResamplingNearestNeighborarray-dimensioncell-error-namedescribe-objectfile-namestringfile-write-datefloat-precisionhash-table-sizehash-table-testhost-namestringinvoke-debuggermachine-versionmake-hash-tablemerge-pathnamesnset-differenceoutput-stream-ppathname-deviceposition-if-notpprint-dispatchprin1-to-stringprinc-to-stringshort-site-namesimple-string-psimple-vector-pslot-makunboundstandard-char-pstring-downcasestring-greaterpsymbol-functionwild-pathname-pwrite-to-stringload-time-valuesymbol-macroletstandard-methodstandard-objectstructure-classdef-edebug-specdefine-skeletonsave-match-datawith-case-tablewith-file-modeswith-local-quitall-completionsbacktrace-debugbacktrace-framebool-vector-notcapitalize-wordcoding-system-pcompare-stringscompleting-readcopy-hash-tablecurrent-messagedefine-categorydelete-terminaldescribe-vectordirectory-filesdowncase-regionfield-beginningfile-attributesfile-readable-pfile-writable-pfont-get-glyphsforward-commentframe-parameterframe-text-colsframe-visible-pgarbage-collectget-file-buffergetenv-internalgfile-add-watchgpm-mouse-startinput-pending-pinvocation-namekey-descriptionmake-char-tablemarker-positionmatch-beginningopen-termscriptprevious-windowprocess-commandprocess-contactrecursion-depthsearch-backwardselected-windowset-cursor-sizeset-frame-widthstart-kbd-macroterminal-live-ptest-completiontool-bar-heighttrace-redisplaytrace-to-stderrupcase-initialsuser-login-namevertical-motionw32-has-winsockwindow-top-linewindow-use-timex-get-atom-namex-server-vendorxw-color-valuestext/x-markdown\[\<matcher\>\]\d+[Ee][-+]\d+iabstract-opaquetype-struct-septype-param-typeident-or-string^(\s>\s)(.+\n)IO::Path::PartsIO::Path::Win32IO::Spec::Win32ARGS-TO-CAPTUREcalling-packagecategorize-listenum_from_valueenum_value_listexport_callbackmixin_attributeoffset-in-hourspush-until-lazyset-instruments(?<!(?<!\\)\\)"\^\^\|\^\|\$\$\|\$(?<!(?<!\\)\\)<(?<!(?<!\\)\\)>pod-declaration(?<!(?<!\\)\\)'(?<!(?<!\\)\\){@(debug\|html)\b:(catch\|then)\bembedded/al.xmlembedded/c#.xmlembedded/hy.xmlembedded/io.xml^-?\d+\.?\d$%$CubicResamplingRIFF????WEBPVP8NO_SIDE_EFFECTSLEGACY_REQUIREDLENGTH_PREFIXED%d elided lines(alias\|status)$(x\|ch\|ss\|sh)es$(vert\|ind)ices$big5_chinese_cilatin2_czech_csdec8_swedish_ciswe7_swedish_cieuckr_korean_ciutf8_general_cicp1250_czech_csutf8_tolower_ciutf8_unicode_ciutf8_latvian_ci
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: OpenFunc not setapplication/tomlpageSort.ByTitlepageSort.ReverseTaxonomyList(%d)template: (.?):[]LabelSelector{AggregationRule:NonResourceURLs:Read after Closerecord not foundgorm:after_queryrow_query_resulttinyint unsignedtimestamp%v NULLcloudsqlpostgresconnection resetavx512vpclmulqdqinvalid name: %qmust be positiveunknown field %vinvalid code: %dInvalid level %dinvalid checksumdefaultInterfaceunsupported typegrpc_stdio.protoplugin.StdioDatainvalid msg typesession shutdown is not exportedServerName: %q, Attributes: %v, <stream: %p, %v>^{h(?::(\d+))?}$^{m(?::(\d+))?}$out of range: %qDART_SASS_BINARYmenuSort.ReverseCosineResamplingarray-dimensionsarray-total-sizecall-next-methodcompute-restartsfind-all-symbolsget-decoded-timehash-table-countlogical-pathnamemachine-instancemake-echo-streamnstring-downcasepackage-use-listparse-namestringpathname-match-ppathname-versionread-from-stringset-exclusive-orshadowing-importsoftware-versionstring-left-trimstring-not-equalstring-not-lessptype-error-datumdefine-conditionwith-open-streamarithmetic-errordivision-by-zerosimple-conditionunbound-variablebroadcast-streamgeneric-functionstructure-objectdeclare-functiondelay-mode-hookseval-and-compilepcase-exhaustivewith-temp-buffersave-restrictionadd-name-to-fileapropos-internalautoload-do-loadbuffer-file-namebuffer-substringbuffer-swap-textbyte-to-positioncategory-table-pchar-or-string-pchar-table-rangeclear-face-cacheclear-font-cachecontinue-processdecode-big5-chardecode-sjis-charencode-big5-charencode-sjis-charexpand-file-namefile-directory-pfile-system-infofont-family-listfontset-list-allformat-mode-lineframe-char-widthframe-face-alistframe-font-cacheframe-parametersframe-text-linesframe-text-widthframe-total-colsget-pos-propertyget-screen-colorinotify-rm-watchinteractive-formlocal-variable-plookup-image-mapmake-bool-vectorminibuffer-depthmsdos-mouse-initnarrow-to-regionnumber-to-stringoverlay-recenterpoint-max-markerpoint-min-markerposix-looking-atprocess-send-eofprocess-sentinelprocess-tty-nameprofiler-cpu-logregion-beginningrun-hook-wrappedset-fontset-fontset-frame-heightset-message-beepset-screen-colorset-syntax-tableset-window-pointset-window-startstring-to-numberstring-to-syntaxtty-no-underlinewindow-new-pixelwindow-new-totalwindow-old-pointwindow-parameterwindow-pixel-topwindow-top-childx-display-planesx-frame-geometryx-parse-geometryx-server-versionzlib-available-pwith-no-warningstext/html+genshiGo HTML TemplateGo Text Templatego-text-template\[[a-zA-Z_]\w\]reStructuredTextrestructuredtextnested_directivedeep_not_matcher[a-z-]+/[a-z-+]+\[(?=[^#{}$]+\])(0\|[1-9][0-9_])parenthesis-openprop-get-set-opttype-parenthesisBacktrace::FrameIO::NotificationIO::Path::CygwinIO::Socket::INETIO::Spec::CygwinMetamodel::C3MROPod::Block::CodePod::Block::Paraatomic-dec-fetchatomic-fetch-addatomic-fetch-decatomic-fetch-incatomic-fetch-subatomic-inc-fetchroles_to_composeset_composalizeruncaught_handlerweekday-of-month)\k<delimiter>)0b[01]+(_[01]+)*(?<!(?<!\\)\\)\[(?<!(?<!
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: OpenFunc not setapplication/tomlpageSort.ByTitlepageSort.ReverseTaxonomyList(%d)template: (.?):[]LabelSelector{AggregationRule:NonResourceURLs:Read after Closerecord not foundgorm:after_queryrow_query_resulttinyint unsignedtimestamp%v NULLcloudsqlpostgresconnection resetavx512vpclmulqdqinvalid name: %qmust be positiveunknown field %vinvalid code: %dInvalid level %dinvalid checksumdefaultInterfaceunsupported typegrpc_stdio.protoplugin.StdioDatainvalid msg typesession shutdown is not exportedServerName: %q, Attributes: %v, <stream: %p, %v>^{h(?::(\d+))?}$^{m(?::(\d+))?}$out of range: %qDART_SASS_BINARYmenuSort.ReverseCosineResamplingarray-dimensionsarray-total-sizecall-next-methodcompute-restartsfind-all-symbolsget-decoded-timehash-table-countlogical-pathnamemachine-instancemake-echo-streamnstring-downcasepackage-use-listparse-namestringpathname-match-ppathname-versionread-from-stringset-exclusive-orshadowing-importsoftware-versionstring-left-trimstring-not-equalstring-not-lessptype-error-datumdefine-conditionwith-open-streamarithmetic-errordivision-by-zerosimple-conditionunbound-variablebroadcast-streamgeneric-functionstructure-objectdeclare-functiondelay-mode-hookseval-and-compilepcase-exhaustivewith-temp-buffersave-restrictionadd-name-to-fileapropos-internalautoload-do-loadbuffer-file-namebuffer-substringbuffer-swap-textbyte-to-positioncategory-table-pchar-or-string-pchar-table-rangeclear-face-cacheclear-font-cachecontinue-processdecode-big5-chardecode-sjis-charencode-big5-charencode-sjis-charexpand-file-namefile-directory-pfile-system-infofont-family-listfontset-list-allformat-mode-lineframe-char-widthframe-face-alistframe-font-cacheframe-parametersframe-text-linesframe-text-widthframe-total-colsget-pos-propertyget-screen-colorinotify-rm-watchinteractive-formlocal-variable-plookup-image-mapmake-bool-vectorminibuffer-depthmsdos-mouse-initnarrow-to-regionnumber-to-stringoverlay-recenterpoint-max-markerpoint-min-markerposix-looking-atprocess-send-eofprocess-sentinelprocess-tty-nameprofiler-cpu-logregion-beginningrun-hook-wrappedset-fontset-fontset-frame-heightset-message-beepset-screen-colorset-syntax-tableset-window-pointset-window-startstring-to-numberstring-to-syntaxtty-no-underlinewindow-new-pixelwindow-new-totalwindow-old-pointwindow-parameterwindow-pixel-topwindow-top-childx-display-planesx-frame-geometryx-parse-geometryx-server-versionzlib-available-pwith-no-warningstext/html+genshiGo HTML TemplateGo Text Templatego-text-template\[[a-zA-Z_]\w\]reStructuredTextrestructuredtextnested_directivedeep_not_matcher[a-z-]+/[a-z-+]+\[(?=[^#{}$]+\])(0\|[1-9][0-9_])parenthesis-openprop-get-set-opttype-parenthesisBacktrace::FrameIO::NotificationIO::Path::CygwinIO::Socket::INETIO::Spec::CygwinMetamodel::C3MROPod::Block::CodePod::Block::Paraatomic-dec-fetchatomic-fetch-addatomic-fetch-decatomic-fetch-incatomic-fetch-subatomic-inc-fetchroles_to_composeset_composalizeruncaught_handlerweekday-of-month)\k<delimiter>)0b[01]+(_[01]+)*(?<!(?<!\\)\\)\[(?<!(?<!
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: truncated profilemalformed profileerror logging: %s:cacheDir/modules:resourceDir/_genno output formatspageSort.ByWeightpageSort.ByLengthpageSort.ByParam.&AggregationRule{&ClusterRoleList{&RoleBindingList{FieldValueTooLongFieldValueTooManyUnsupported value^[-._a-zA-Z0-9]+$must be non-emptya qualified name jinzhu/gorm/..gogorm:after_creategorm:after_deletegorm:query_optiongorm:auto_preloadSAVE_ASSOCIATIONSgorm:after_updategorm:update_attrsSELECT DATABASE()POLYMORPHIC_VALUE ) AS count_tableinvalid range: %v%s: %v is not set%%!%c(dec.Dec=%s)net.protocol.nameno data to encodeUnknown data modegrpc_broker.protostreams exhaustedkeepalive timeoutTRANSIENT_FAILUREgrpc-message-typemenuSort.ByWeightMitchellNetravaliBSplineResamplingHammingResamplingallocate-instancearray-in-bounds-pchar-not-greaterpdelete-duplicatesenough-namestringfunction-keywordslist-all-packagesmake-random-statemethod-qualifiersnset-exclusive-orpackage-nicknamesread-char-no-hangremove-duplicatesshared-initializestring-capitalizestring-right-trimsubstitute-if-not&allow-other-keyscompiled-functionsimple-bit-vectorserious-conditionsimple-type-errorstorage-conditioncl-do-all-symbolsdefine-minor-modeeval-when-compilewith-syntax-tablewith-temp-messagewith-wrapper-hookbacktrace--localsbeginning-of-linebool-vector-unionbuffer-modified-pcapitalize-regioncar-less-than-carchar-category-setchar-table-parentclear-image-cachecoding-system-putcolor-supported-pcommand-remappingcontrolling-tty-pcopy-syntax-tablecurrent-idle-timecurrent-local-mapcurrent-time-zonedebug-timer-checkdump-glyph-matrixdump-tool-bar-rowexecute-kbd-macrofile-executable-pframe-char-heightframe-pixel-widthframe-root-windowframe-text-heightframe-total-linesget-buffer-createget-buffer-windowget-char-propertyget-load-suffixesget-text-propertyimagemagick-typesindirect-functionindirect-variableinotify-add-watchinterrupt-processline-end-positionline-pixel-heightlocal-key-bindingmake-category-setmap-charset-charsmemory-use-countsminibuffer-promptminibuffer-windowopen-dribble-fileprofiler-cpu-stopput-text-propertyre-search-forwardread-key-sequenceset-charset-plistset-keymap-parentset-process-plistset-window-bufferstring-as-unibytestring-to-unibytesuspicious-objecttext-property-anythis-command-keystranspose-regionsw32-shell-executewhere-is-internalwindow-body-widthwindow-left-childwindow-new-normalwindow-parameterswindow-pixel-leftwindow-text-widthx-display-screensx-load-color-filex-open-connectionx-window-propertyembedded/html.xmlapplication/x-kidapplication/x-phptext/x-typoscriptsite_block_commondeep_subdirectiveabstract-relationparenthesis-closeIO::Socket::AsyncMetamodel::MixinsMetamodel::NamingPod::Block::NamedPod::Block::TableTelemetry::Periodalternative-namesconfigure_destroyexplicitly-manageis-initial-threadnative-descriptornew-from-daycountoffset-in-minutessetup_mixin_cache(?<=\[\\?)<(?=\])pre-pod-formatter\n \n\|\n(?=^ *=)TypoScriptCSSDataembedded/abap.xmlembedded/abnf.xmlembedded/agda.xmlembedded/bash.xmlembedded/dart.xmlembedded
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: truncated profilemalformed profileerror logging: %s:cacheDir/modules:resourceDir/_genno output formatspageSort.ByWeightpageSort.ByLengthpageSort.ByParam.&AggregationRule{&ClusterRoleList{&RoleBindingList{FieldValueTooLongFieldValueTooManyUnsupported value^[-._a-zA-Z0-9]+$must be non-emptya qualified name jinzhu/gorm/..gogorm:after_creategorm:after_deletegorm:query_optiongorm:auto_preloadSAVE_ASSOCIATIONSgorm:after_updategorm:update_attrsSELECT DATABASE()POLYMORPHIC_VALUE ) AS count_tableinvalid range: %v%s: %v is not set%%!%c(dec.Dec=%s)net.protocol.nameno data to encodeUnknown data modegrpc_broker.protostreams exhaustedkeepalive timeoutTRANSIENT_FAILUREgrpc-message-typemenuSort.ByWeightMitchellNetravaliBSplineResamplingHammingResamplingallocate-instancearray-in-bounds-pchar-not-greaterpdelete-duplicatesenough-namestringfunction-keywordslist-all-packagesmake-random-statemethod-qualifiersnset-exclusive-orpackage-nicknamesread-char-no-hangremove-duplicatesshared-initializestring-capitalizestring-right-trimsubstitute-if-not&allow-other-keyscompiled-functionsimple-bit-vectorserious-conditionsimple-type-errorstorage-conditioncl-do-all-symbolsdefine-minor-modeeval-when-compilewith-syntax-tablewith-temp-messagewith-wrapper-hookbacktrace--localsbeginning-of-linebool-vector-unionbuffer-modified-pcapitalize-regioncar-less-than-carchar-category-setchar-table-parentclear-image-cachecoding-system-putcolor-supported-pcommand-remappingcontrolling-tty-pcopy-syntax-tablecurrent-idle-timecurrent-local-mapcurrent-time-zonedebug-timer-checkdump-glyph-matrixdump-tool-bar-rowexecute-kbd-macrofile-executable-pframe-char-heightframe-pixel-widthframe-root-windowframe-text-heightframe-total-linesget-buffer-createget-buffer-windowget-char-propertyget-load-suffixesget-text-propertyimagemagick-typesindirect-functionindirect-variableinotify-add-watchinterrupt-processline-end-positionline-pixel-heightlocal-key-bindingmake-category-setmap-charset-charsmemory-use-countsminibuffer-promptminibuffer-windowopen-dribble-fileprofiler-cpu-stopput-text-propertyre-search-forwardread-key-sequenceset-charset-plistset-keymap-parentset-process-plistset-window-bufferstring-as-unibytestring-to-unibytesuspicious-objecttext-property-anythis-command-keystranspose-regionsw32-shell-executewhere-is-internalwindow-body-widthwindow-left-childwindow-new-normalwindow-parameterswindow-pixel-leftwindow-text-widthx-display-screensx-load-color-filex-open-connectionx-window-propertyembedded/html.xmlapplication/x-kidapplication/x-phptext/x-typoscriptsite_block_commondeep_subdirectiveabstract-relationparenthesis-closeIO::Socket::AsyncMetamodel::MixinsMetamodel::NamingPod::Block::NamedPod::Block::TableTelemetry::Periodalternative-namesconfigure_destroyexplicitly-manageis-initial-threadnative-descriptornew-from-daycountoffset-in-minutessetup_mixin_cache(?<=\[\\?)<(?=\])pre-pod-formatter\n \n\|\n(?=^ *=)TypoScriptCSSDataembedded/abap.xmlembedded/abnf.xmlembedded/agda.xmlembedded/bash.xmlembedded/dart.xmlembedded
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: :cacheDir/:projectsecurity.http.urlspageSort.ByLastmodClusterRoleBindingFieldValueRequiredFieldValueNotFoundsupported values: invalid value typegorm:before_creategorm:insert_optiongorm:before_deletegorm:before_updategorm:update_optionint AUTO_INCREMENT(%v.%v NOT IN (?))gorm:table_options, PRIMARY KEY (%v)%s %v ON %v(%v) %v":file::line::col"dart-sass-embeddedGetConsoleOutputCPduplicate name: %qduplicate field %vGetPerformanceInfonet.sock.peer.addrnet.sock.peer.portnet.sock.host.addrnet.sock.host.portmode not supportedchunk out of ordercompression methoddimension overflow255.255.255.255/32bad resolver statethe stream is doneinvalid config: %v%d, %f, %d, %d, %vindex is finalizedindex %q not foundindex %q not validGaussianResamplingBlackmanResamplingBartlettResamplingadjustable-array-parray-displacementarray-element-typefile-string-lengthget-setf-expansionget-universal-timenstring-capitalizensubstitute-if-notpathname-directoryspecial-operator-ptranslate-pathnamevector-push-extenddestructuring-bindsimple-base-stringprint-not-readableundefined-functionmethod-combinationcl-load-time-valuecl-symbol-macroletaccessible-keymapsbuffer-base-bufferbuffer-enable-undobuffer-local-valuecall-interactivelycategory-docstringchar-table-subtypeclear-charset-mapscoding-system-baseconstrain-to-fieldcurrent-case-tablecurrent-global-mapcurrent-input-modedaemon-initializeddefault-file-modesevent-convert-listfont-shape-gstringformat-time-stringframe-border-widthframe-first-windowframe-fringe-widthframe-pixel-heightget-buffer-processglobal-key-bindinggnutls-available-pgnutls-peer-statusinit-image-libraryinsert-and-inheritinternal-char-fontmake-frame-visiblemake-sparse-keymapmake-symbolic-linkmsdos-mouse-enablemsdos-set-keyboardmultibyte-string-pnumber-or-marker-poverlay-propertiesparse-partial-sexpposix-string-matchprocess-attributesprocess-connectionprofiler-cpu-startre-search-backwardread-coding-systemrecent-auto-save-prun-hook-with-argsset-category-tableset-frame-positionset-mouse-positionset-process-bufferset-process-filterset-time-zone-ruleset-window-fringesset-window-hscrollset-window-marginsset-window-vscrollskip-chars-forwardspecial-variable-pterminal-parametertext-properties-atvisible-frame-listw32-battery-statusw32-long-file-namew32-unload-winsockw32notify-rm-watchwindow-body-heightwindow-dedicated-pwindow-left-columnwindow-line-heightwindow-normal-sizewindow-pixel-edgeswindow-pixel-widthwindow-scroll-barswindow-text-heightwindow-total-widthx-close-connectionx-display-mm-widthx-wm-set-size-hintxw-color-defined-pxw-display-color-pwith-electric-helpapplication/x-raku<\s[a-zA-Z0-9:.]+(import\|package)\b0[xX][0-9a-fA-F_]+"(\\\\\|\\"\|[^"])"preproc-expr-chainoptional-semicolonfunction-param-sep(?:case\|default)\barray-access-closeDistribution::HashDistribution::PathMetamodel::EnumHOWTelemetry::SamplerMONKEY-SEE-NO-EVALadd_private_methoddelete-by-compilersetup_finalization::\?\w+(?::[_UD])?opening_delimiters(:)(!?)(\w[\w'-]*)escape-hexadecimalregex-escape-classclosing_deli
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: :cacheDir/:projectsecurity.http.urlspageSort.ByLastmodClusterRoleBindingFieldValueRequiredFieldValueNotFoundsupported values: invalid value typegorm:before_creategorm:insert_optiongorm:before_deletegorm:before_updategorm:update_optionint AUTO_INCREMENT(%v.%v NOT IN (?))gorm:table_options, PRIMARY KEY (%v)%s %v ON %v(%v) %v":file::line::col"dart-sass-embeddedGetConsoleOutputCPduplicate name: %qduplicate field %vGetPerformanceInfonet.sock.peer.addrnet.sock.peer.portnet.sock.host.addrnet.sock.host.portmode not supportedchunk out of ordercompression methoddimension overflow255.255.255.255/32bad resolver statethe stream is doneinvalid config: %v%d, %f, %d, %d, %vindex is finalizedindex %q not foundindex %q not validGaussianResamplingBlackmanResamplingBartlettResamplingadjustable-array-parray-displacementarray-element-typefile-string-lengthget-setf-expansionget-universal-timenstring-capitalizensubstitute-if-notpathname-directoryspecial-operator-ptranslate-pathnamevector-push-extenddestructuring-bindsimple-base-stringprint-not-readableundefined-functionmethod-combinationcl-load-time-valuecl-symbol-macroletaccessible-keymapsbuffer-base-bufferbuffer-enable-undobuffer-local-valuecall-interactivelycategory-docstringchar-table-subtypeclear-charset-mapscoding-system-baseconstrain-to-fieldcurrent-case-tablecurrent-global-mapcurrent-input-modedaemon-initializeddefault-file-modesevent-convert-listfont-shape-gstringformat-time-stringframe-border-widthframe-first-windowframe-fringe-widthframe-pixel-heightget-buffer-processglobal-key-bindinggnutls-available-pgnutls-peer-statusinit-image-libraryinsert-and-inheritinternal-char-fontmake-frame-visiblemake-sparse-keymapmake-symbolic-linkmsdos-mouse-enablemsdos-set-keyboardmultibyte-string-pnumber-or-marker-poverlay-propertiesparse-partial-sexpposix-string-matchprocess-attributesprocess-connectionprofiler-cpu-startre-search-backwardread-coding-systemrecent-auto-save-prun-hook-with-argsset-category-tableset-frame-positionset-mouse-positionset-process-bufferset-process-filterset-time-zone-ruleset-window-fringesset-window-hscrollset-window-marginsset-window-vscrollskip-chars-forwardspecial-variable-pterminal-parametertext-properties-atvisible-frame-listw32-battery-statusw32-long-file-namew32-unload-winsockw32notify-rm-watchwindow-body-heightwindow-dedicated-pwindow-left-columnwindow-line-heightwindow-normal-sizewindow-pixel-edgeswindow-pixel-widthwindow-scroll-barswindow-text-heightwindow-total-widthx-close-connectionx-display-mm-widthx-wm-set-size-hintxw-color-defined-pxw-display-color-pwith-electric-helpapplication/x-raku<\s[a-zA-Z0-9:.]+(import\|package)\b0[xX][0-9a-fA-F_]+"(\\\\\|\\"\|[^"])"preproc-expr-chainoptional-semicolonfunction-param-sep(?:case\|default)\barray-access-closeDistribution::HashDistribution::PathMetamodel::EnumHOWTelemetry::SamplerMONKEY-SEE-NO-EVALadd_private_methoddelete-by-compilersetup_finalization::\?\w+(?::[_UD])?opening_delimiters(:)(!?)(\w[\w'-]*)escape-hexadecimalregex-escape-classclosing_deli
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: golang.org/x/cryptosecurity.exec.allowapplication/rss+xmlpageSort.ByLanguageWeightedPage(%d,%q)descriptor mismatchFieldValueForbiddenFieldValueDuplicateDROP INDEX %v ON %vINNER JOIN %v ON %v(%v.%v IS NOT NULL)CREATE UNIQUE INDEXRUNEWIDTH_EASTASIANmodulus must be odd<unknown slog.Kind>invalid nil pointerfield %v is invalidunexpected token %sinvalid %v value %vinvalid decimal: %sNtReadVirtualMemoryPdhCollectQueryDataGetExtendedTcpTableGetExtendedUdpTableuser_agent.originalWriteConsoleOutputWtoo much pixel data^\s(%s)\s(%s)\s$0:0:0:0:0:ffff::/96PrivacyAndIntegrityrpc.Register: type goldmark.extensionskeepspecialcommentscompiled-function-pfile-error-pathnameget-macro-characterinitialize-instancemake-synonym-streammake-two-way-streamread-delimited-listset-macro-characterset-pprint-dispatchsimple-bit-vector-pstream-element-typestream-error-streamstring-not-greaterpmultiple-value-calldefine-modify-macrodefine-symbol-macrodo-external-symbolsmultiple-value-bindmultiple-value-listmultiple-value-setqwith-simple-restartconcatenated-streamatomic-change-groupdefine-alternativesdefine-derived-modedefine-generic-modewith-category-tablewith-current-bufferwith-demoted-errorswith-selected-framesave-current-bufferSnarf-documentationadd-text-propertiesbool-vector-subsetpcall-last-kbd-macrocall-process-regioncharset-id-internalcheck-coding-systemcoding-system-plistcopy-category-tablecurrent-active-mapscurrent-indentationcurrent-time-stringdelete-all-overlaysdirectory-file-nameexit-recursive-editfile-name-directoryfind-charset-regionfind-charset-stringfont-otf-alternatesforce-window-updateget-unused-categorygnutls-error-fatalpgnutls-error-stringhandle-save-sessionhandle-switch-framehash-table-weaknessinteger-or-marker-pkill-local-variablemake-category-tablemake-local-variablemake-serial-processmake-terminal-framemap-keymap-internalminibuffer-contentsmodify-syntax-entrymove-point-visuallymove-to-window-linemsdos-mouse-disablenewline-cache-checknext-overlay-changeoptimize-char-tableplay-sound-internalprocess-exit-statusprocess-send-regionprocess-send-stringprofiler-memory-logread-char-exclusivescroll-other-windowself-insert-commandset-input-meta-modeset-text-propertiesshow-face-resourcesskip-chars-backwardskip-syntax-forwardstandard-case-tablestring-as-multibytestring-make-unibytestring-to-multibyteterminal-parameterstty-display-color-pw32-get-locale-infow32-short-file-namew32-toggle-lock-keyw32-window-exists-pw32notify-add-watchwindow-inside-edgeswindow-minibuffer-pwindow-next-bufferswindow-next-siblingwindow-pixel-heightwindow-prev-bufferswindow-prev-siblingwindow-resize-applywindow-total-heightx-display-mm-heightx-register-dnd-atomx-selection-owner-papplication/x-perl6(?:def\|for\|if)\s+.<\s*py:[a-zA-Z0-9]+preproc-parenthesis(?:untyped\|throw)\bMetamodel::ClassHOWMetamodel::StashingMetamodel::TrustingPod::Block::CommentRoutine::WrapHandleThreadPoolSchedulerfirst-date-in-monthset_export_callbackset_mixin_attribute(
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: [0m%s %-44s GlobalMemoryStatusExLookupPrivilegeNameWnet.protocol.versionrpc.grpc.status_codeSetConsoleWindowInfoBad chunk length: %d2002:c058:6301::/120recv window exceededi/o deadline reachedtransport is closinggRPC requires HTTP/2grpc-accept-encodingGracefulClose calledCatmullRomResampling\"(enable\w+)\":nullcopy-pprint-dispatchdirectory-namestringinteger-decode-floatinteractive-stream-pinvalid-method-errorno-applicable-methodpackage-used-by-listset-syntax-from-charmultiple-value-prog1define-setf-expanderpprint-logical-blocksave-selected-windowwith-coding-prioritywith-eval-after-loadwith-selected-windowabort-recursive-editbase64-decode-regionbase64-decode-stringbase64-encode-regionbase64-encode-stringbidi-resolved-levelsbuffer-modified-tickbury-buffer-internalbyte-code-function-pdbus-get-unique-namedecode-coding-regiondecode-coding-stringdefault-printer-namedefine-charset-aliasdefine-fringe-bitmapdetect-coding-regiondetect-coding-stringencode-coding-regionencode-coding-stringerror-message-stringfile-name-absolute-pfile-name-completionfile-selinux-contextfont-face-attributesfont-get-system-fontgnutls-get-initstageinsert-file-contentsinternal-lisp-face-pinternal-show-cursorinvocation-directorylocate-file-internalmake-frame-invisiblemake-indirect-buffermake-network-processmenu-bar-menu-at-x-ymerge-face-attributemouse-pixel-positionnext-property-changeposix-search-forwardprefix-numeric-valueprofiler-memory-stopread-from-minibufferread-no-blanks-inputredirect-frame-focusregister-ccl-programset-buffer-multibyteset-char-table-rangeset-charset-priorityset-process-sentinelset-window-new-pixelset-window-new-totalset-window-parameterskip-syntax-backwardstring-collate-lesspsubst-char-in-regionterminal-local-valuetool-bar-pixel-widthuser-real-login-namevisited-file-modtimew32-define-rgb-colorw32-register-hot-keyw32-send-sys-commandwindow-display-tablex-display-save-underx-selection-exists-p(?m)^@\s+IN\s+SOA\s+Caddyfile Directivescaddyfile-directivesapplication/x-genshiapplication/x-svelte(choose\|otherwise)\b\.\d+([Ee][-+]\d+)?i[\|^<>=!()\[\]{}.,;:](?:extern\|private)\b(?:continue\|break)\bCompUnit::RepositorySupplier::Preservinginstall_method_cacheprivate_method_namesprivate_method_tablepublish_method_cache(\w[\w'-])(\s)(=>)colon-pair-attributeembedded/arduino.xmlembedded/cheetah.xmlembedded/clojure.xmlembedded/crystal.xmlembedded/fortran.xmlembedded/gherkin.xmlembedded/gnuplot.xmlembedded/graphql.xmlembedded/haskell.xmlembedded/hexdump.xmlembedded/monkeyc.xmlembedded/natural.xmlembedded/systemd.xmlembedded/termcap.xmlembedded/v_shell.xmlembedded/verilog.xmlwebp: invalid formatinvalid map key typeFilterValues(%s, %v)(alias\|status)(es)?$cp1257_lithuanian_ciutf8mb4_icelandic_ciutf8mb4_slovenian_ciutf8mb4_esperanto_ciutf8mb4_hungarian_ciunknown auth plugin:mysql_clear_passwordallowNativePasswordsinvalid bool value: Reader '%s' is <nil>illegal %s length %dcloudsqlconn/latencybatch already closedstatement_cache_modeselect lo_create($1)select lo_unlink($1)select l
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: \_ (?i)^(\s*)#\+RESULTS:02 Jan 06 15:04 -0700tag:yaml.org,2002:seqtag:yaml.org,2002:maptag:yaml.org,2002:strinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: tag:yaml.org,2002:intwrite handler not setIPv4 address too longunexpected slice sizeFloat.SetFloat64(NaN)set bit is not 0 or 1flag %q begins with -%s flag redefined: %sAZURE_GO_SDK_LOG_FILEtag is not an integerunrecognized type: %v\[(?:[a-fA-F0-9:]+)\]invalid named captureunexpected stream endUNVERIFIED_TRANSITIONVERIFIED_INITIAL_HIGHGROUP_CHANGE_RESTRICTGROUP_CHANGE_ANNOUNCEGROUP_PARTICIPANT_ADDproto.LocationMessageproto.DocumentMessageproto.ProtocolMessageproto.FourRowTemplateproto.TemplateMessageproto.CatalogSnapshotproto.ProductSnapshotinvalid nesting depthlogical.PluginVersionSubConn shutting downfallback to scheme %q"FAILED_PRECONDITION"GetProcessHandleCount%d error(s) occurred:%s profile: total %d
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: handler cannot be nilsecurity.funcs.getenvinvalid slice type %Tpages.MergeByLanguagepageSort.ByExpiryDateinvalid nil TimestampClusterRoleSelectors:[]ClusterRoleBinding{FieldValueTypeInvalidjinzhu/gorm/.test.goINSERT INTO %v %v%v%vgorm:update_interfaceBIGINT AUTO_INCREMENTbigint AUTO_INCREMENTfield value not validASSOCIATIONFOREIGNKEYExpiredTokenExceptioninvalid scalar lengthExtensionRangeOptionsmismatching field: %vmissing "@type" fieldgoogle.protobuf.Valuemissing "value" fieldRtlNtStatusToDosErrorPdhAddEnglishCounterWpng: invalid format: not enough pixel data0:0:0:0:0:ffff:0:0/96grpc_controller.proto(%d events discarded)GRPC_GO_LOG_FORMATTERdue to a non-default array-row-major-indexcompile-file-pathnamedecode-universal-timeencode-universal-timeget-internal-run-timemake-broadcast-streampackage-error-packagereinitialize-instancesynonym-stream-symbolunbound-slot-instanceuser-homedir-pathnamedefine-compiler-macrowith-compilation-unitwith-output-to-stringwith-package-iteratorcl-destructuring-bindsave-window-excursionaccept-process-outputbackward-prefix-charsbuffer-has-markers-atccl-execute-on-stringchar-table-extra-slotcharset-priority-listcoding-system-aliasesdbus-message-internaldeclare-equiv-charsetdefine-prefix-commanddestroy-fringe-bitmapfile-attributes-lesspfont-variation-glyphsframe-selected-windowfringe-bitmaps-at-posfuncall-interactivelyinsert-before-markersinsert-startup-screeninternal--track-mouselist-system-processesmarker-insertion-typeminibuffer-prompt-endmodify-category-entrymsdos-long-file-namesposix-search-backwardprocess-coding-systemprofiler-memory-startset-buffer-auto-savedset-buffer-major-modeset-buffer-modified-pset-char-table-parentset-minibuffer-windowset-window-new-normalsplit-window-internalstandard-syntax-tablestore-kbd-macro-eventstring-collate-equalpstring-make-multibytetext-char-descriptiontext-property-not-allw32-default-color-mapx-display-color-cellsx-display-grayscale-px-display-pixel-widthx-send-client-messagex-uses-old-gtk-dialog(import)(\s+)([^\s]+)(<\?python)(.?)(\?>)\.\d+([eE][+\-]?\d+)?(?:class\|interface)\bstring-interpol-closetype-param-constraint(?:true\|false\|null)\bhidden-from-backtraceDistribution::LocallyMetamodel::PrimitivesMetamodel::Versioningfind_method_qualified(?<!(?<!\\)\\)<$\|$>regex-character-class(?<!(?<!\\)\\)(\\)(.)embedded/angular2.xmlembedded/gdscript.xmlembedded/iscdhcpd.xmlembedded/makefile.xmlembedded/minizinc.xmlembedded/modula-2.xmlembedded/newspeak.xmlembedded/openscad.xmlembedded/org_mode.xmlembedded/pl_pgsql.xmlembedded/python_2.xmlembedded/reasonml.xmlembedded/solidity.xmlembedded/tablegen.xmlembedded/terminfo.xml[\p{N}\p{L}]+[^\s-/]*(?:([^f])fe\|([lr])f)$utf8mb4_lithuanian_ciutf8mb4_vietnamese_cicaching_sha2_passwordmysql_native_passwordunknown field type %dno rows in result setselect loread($1, $2)release savepoint sp_NoCredentialProvidersAsia Pacific (Mumbai)Asia Pacific (Sydney)Canada West (Calgary)Middle East (Bahrain)US East (N. Virginia)agreement-marketplaceapi.elastic-infere
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: [0m[%s]%s %-44s invalid interlace methodplugin.StdioData_Channelinvalid protocol versionconnection write timeoutrpc: can't find service code: %s, debug data: %q^[a-zA-Z_][a-zA-Z0-9_]*$tabwriter: panic during empty deployment matcherSection list for "posts"array-has-fill-pointer-pbroadcast-stream-streamsecho-stream-input-streamensure-directories-existget-output-stream-stringlisp-implementation-typemake-concatenated-streammake-string-input-streammethod-combination-errortype-error-expected-typewith-hash-table-iteratorfloating-point-underflowcl-define-compiler-macrodefine-global-minor-modewith-tramp-file-propertyactive-minibuffer-windowbarf-if-buffer-read-onlybool-vector-exclusive-orbool-vector-intersectiondescribe-buffer-bindingsgenerate-new-buffer-nameinternal-complete-bufferkill-all-local-variableslast-nonminibuffer-framelibxml-parse-html-regionprevious-property-changeprocess-datagram-addressread-key-sequence-vectorserial-process-configureset-file-selinux-contextset-input-interrupt-modeset-mouse-pixel-positionset-terminal-local-valueset-visited-file-modtimeset-window-configurationset-window-display-tablethis-command-keys-vectorthis-single-command-keysw32-get-codepage-charsetw32-get-console-codepagew32-get-valid-locale-idsw32-set-console-codepagew32-set-process-prioritywaiting-for-user-input-pwindow-combination-limitwindow-scroll-bar-heightx-change-window-propertyx-delete-window-propertyx-get-selection-internalx-menu-bar-open-internalx-own-selection-internalembedded/common_lisp.xmlembedded/go_template.xmlapplication/x-httpd-php3application/x-httpd-php4application/x-httpd-php5text/prs.fallenstein.rst(?:extends\|implements)\bIO::Notification::ChangeMetamodel::RoleContainer([$@])((?<!(?<!\\)\\)\()regex-starting-operatorsembedded/applescript.xmlembedded/cap_n_proto.xmlembedded/cfstatement.xmlembedded/mathematica.xmlembedded/objective-c.xmlembedded/plutus_core.xmlembedded/standard_ml.xmlembedded/tradingview.xmlgif: too much image datagif: invalid pixel valueMESSAGE_ENCODING_UNKNOWNutf8_general_mysql500_ciallowFallbackToPlaintextstatement_cache_capacityAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.comrds.{region}.{dnsSuffix}sqs.{reg
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: [0m[%s]%s %-44s invalid interlace methodplugin.StdioData_Channelinvalid protocol versionconnection write timeoutrpc: can't find service code: %s, debug data: %q^[a-zA-Z_][a-zA-Z0-9_]*$tabwriter: panic during empty deployment matcherSection list for "posts"array-has-fill-pointer-pbroadcast-stream-streamsecho-stream-input-streamensure-directories-existget-output-stream-stringlisp-implementation-typemake-concatenated-streammake-string-input-streammethod-combination-errortype-error-expected-typewith-hash-table-iteratorfloating-point-underflowcl-define-compiler-macrodefine-global-minor-modewith-tramp-file-propertyactive-minibuffer-windowbarf-if-buffer-read-onlybool-vector-exclusive-orbool-vector-intersectiondescribe-buffer-bindingsgenerate-new-buffer-nameinternal-complete-bufferkill-all-local-variableslast-nonminibuffer-framelibxml-parse-html-regionprevious-property-changeprocess-datagram-addressread-key-sequence-vectorserial-process-configureset-file-selinux-contextset-input-interrupt-modeset-mouse-pixel-positionset-terminal-local-valueset-visited-file-modtimeset-window-configurationset-window-display-tablethis-command-keys-vectorthis-single-command-keysw32-get-codepage-charsetw32-get-console-codepagew32-get-valid-locale-idsw32-set-console-codepagew32-set-process-prioritywaiting-for-user-input-pwindow-combination-limitwindow-scroll-bar-heightx-change-window-propertyx-delete-window-propertyx-get-selection-internalx-menu-bar-open-internalx-own-selection-internalembedded/common_lisp.xmlembedded/go_template.xmlapplication/x-httpd-php3application/x-httpd-php4application/x-httpd-php5text/prs.fallenstein.rst(?:extends\|implements)\bIO::Notification::ChangeMetamodel::RoleContainer([$@])((?<!(?<!\\)\\)\()regex-starting-operatorsembedded/applescript.xmlembedded/cap_n_proto.xmlembedded/cfstatement.xmlembedded/mathematica.xmlembedded/objective-c.xmlembedded/plutus_core.xmlembedded/standard_ml.xmlembedded/tradingview.xmlgif: too much image datagif: invalid pixel valueMESSAGE_ENCODING_UNKNOWNutf8_general_mysql500_ciallowFallbackToPlaintextstatement_cache_capacityAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.comrds.{region}.{dnsSuffix}sqs.{reg
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: not a valid logrus Level: %qRtlDosPathNameToNtPathName_Uhttp.response_content_lengthBUG: got len %d, expected %d/grpc.health.v1.Health/Watchfailed to exit idle mode: %wfailed to convert %q to uintgolang.org/x/net/trace.Traceget-dispatch-macro-characterinvoke-restart-interactivelyset-dispatch-macro-charactertwo-way-stream-output-streamdefine-globalized-minor-modewith-tramp-progress-reporterbool-vector-count-populationcombine-after-change-executecurrent-window-configurationfind-operation-coding-systeminternal-face-x-get-resourcenext-read-file-uses-dialog-pregister-code-conversion-mapset-process-datagram-addressset-process-filter-multibyteset-window-combination-limitthis-single-command-raw-keyswindow-redisplay-end-trigger(?<!\$)(\$)([a-zA-Z_][\w.])([\t ]+)([^\r\n]+)(\r?\n\|\Z)Telemetry::Instrument::Usage(?<=^\|\b\|\s)(ms\|m\|rx)\b(\s)^( \.\.)(\s)(\[.+\])(.*?)$embedded/morrowindscript.xmlembedded/protocol_buffer.xmlgif: reading color table: %s%#v has map key with NaNs
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: Isikhathi sase-Chile esijwayelekileIsikhathi sasemini sase-New ZealandIsikhathi sehlobo sase-Turkmenistanbad successive approximation valuesshould never reach here Include(%q)exif: seek to sub-IFD %s failed: %vunable to find oid for type name %vcannot convert %v to Int4multirangecannot convert %v to Int8multirangecannot convert %v to TimestampArray2006-01-02 15:04:05.999999999Z07:00cannot convert %v to TstzrangeArrayfield match condition not found in unexpected ending in qualified ruleClient request count by HTTP methodServer request count by HTTP methodprecis: disallowed rune encounteredcrypto/blake2b: cannot marshal MACscrypto/cipher: input not full blockssyntax error scanning complex numberaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)bytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative position%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not common444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: Isikhathi sase-Chile esijwayelekileIsikhathi sasemini sase-New ZealandIsikhathi sehlobo sase-Turkmenistanbad successive approximation valuesshould never reach here Include(%q)exif: seek to sub-IFD %s failed: %vunable to find oid for type name %vcannot convert %v to Int4multirangecannot convert %v to Int8multirangecannot convert %v to TimestampArray2006-01-02 15:04:05.999999999Z07:00cannot convert %v to TstzrangeArrayfield match condition not found in unexpected ending in qualified ruleClient request count by HTTP methodServer request count by HTTP methodprecis: disallowed rune encounteredcrypto/blake2b: cannot marshal MACscrypto/cipher: input not full blockssyntax error scanning complex numberaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)bytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative position%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not common444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: tls: internal error: sending non-handshake message to QUIC transportpadding bytes must all be zeros unless AllowIllegalWrites is enabledhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qAn update strategy to replace existing DaemonSet pods with new pods.The last time the condition transitioned from one status to another.The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.PersistentVolumeStatus is the current status of a persistent volume.PodAttachOptions is the query options to a Pod's remote attach call.optional field specify whether the Secret or its key must be definedPodCondition contains details for the current condition of this pod.ScaleIOPersistentVolumeSource represents a persistent ScaleIO volumeproto: ISCSIPersistentVolumeSource: wiretype end group for non-groupproto: PersistentVolumeClaimCondition: illegal tag %d (wire type %d)proto: PersistentVolumeClaimStatus: wiretype end group for non-groupproto: ReplicationControllerCondition: illegal tag %d (wire type %d)proto: ReplicationControllerStatus: wiretype end group for non-groupproto: VsphereVirtualDiskVolumeSource: illegal tag %d (wire type %d)(brief) machine readable reason for the condition's last transition.expected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vembedded IPv4 address must replace the final 2 fields of the addressbig: invalid 2nd argument to Int.Jacobi: need odd integer but got %s2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061crypto/hmac: hash generation function does not produce unique valuescustom type: type: %v, does not implement the proto.custom interfacedecoding int array or slice: length exceeds input size (%d elements)invalid retry throttling config: tokenRatio (%v) may not be negativelabels in collected metric %s %s are inconsistent with descriptor %sKind %q used in outputs configuration is deprecated, use %q instead.extension %v does not implement protoreflect.ExtensionTypeDescriptorrpc.Register: method %q has %d output parameters; needs exactly one
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.Specifies the set of values. Each returned container exit code (might be multiple in case of multiple containers) is checked against this set of values with respect to the operator. The list of values must be ordered and must not contain duplicates. Value '0' cannot be used for the In operator. At least one element is required. At most 255 elements are allowed.Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: nullThe maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deplo
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.Specifies the set of values. Each returned container exit code (might be multiple in case of multiple containers) is checked against this set of values with respect to the operator. The list of values must be ordered and must not contain duplicates. Value '0' cannot be used for the In operator. At least one element is required. At most 255 elements are allowed.Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: nullThe maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deplo
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="(hardware\|packet\|leased-address\|host-decl-name\|lease-time\|max-lease-time\|client-state\|config-option\|option\|filename\|next-server\|allow\|deny\|match\|ignore)\b">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="(?i)\b(?<!-)(?<!#)(ENTIRE\|BY\|NAME\|ARRAY\|SPECIFIED\|VIEW\|MODULE\|FUNCTION\|RETURNS\|AND\|NUMERIC\|OPTIONAL\|END-PARSE\|TRUE\|END-RESULT\|LEAVING\|NOT\|CONDITION\|NUMBER\|NO\|EXP\|FULL\|REPLACE\|INSERT\|DOEND\|LOG\|ABS\|ANY\|REPEAT\|SET\|DLOGOFF\|DOWNLOAD\|BREAK\|VALUES\|DIVIDE\|COMPRESS\|UPDATE\|SORTKEY\|OR\|END-FIND\|END-ENDPAGE\|REDUCE\|IGNORE\|MIN\|WASTE\|END-DEFINE\|SUBSTR\|END\|FIND\|ADD\|INVESTIGATE\|DNATIVE\|CONST\|COS\|ENDHOC\|SGN\|COPY\|REDEFINE\|DEFINE\|MULTIPLY\|ASSIGN\|LE\|VALUE\|COMPOSE\|FALSE\|POS\|CALL\|TAN\|ERROR\|CLOSE\|PARSE\|LT\|WITH_CTE\|END-SORT\|EJECT\|RESET\|SHOW\|LOCAL\|PERFORM\|TERMINATE\|VAL\|BACKOUT\|END-LOOP\|REJECT\|SUM\|CREATE\|SORT\|RETURN\|AT\|SIN\|SETTIME\|INT\|NE\|GLOBAL\|END-SELECT\|ELSE\|DELETE\|TOP\|INCLUDE\|END-ENDDATA\|LOOP\|OLD\|SUSPEND\|SKIP\|SQRT\|RULEVAR\|NMIN\|AVER\|PROCESS\|SELECT\|MAP\|USING\|END-HISTOGRAM\|MAX\|NEWPAGE\|ON\|OFF\|KEY\|NAMED\|CONTROL\|PF1\|PF2\|PF3\|PF4\|PF5\|PF6\|PF7\|PF8\|PF9\|INITIAL\|WRITE\|STORE\|FETCH\|ATN\|RET\|END-WORK\|RESTORE\|GET\|LIMIT\|END-ERROR\|SEND\|OPEN\|ESCAPE\|COMPUTE\|COUNT\|TRANSFER\|RELEASE\|DO\|DYNAMIC\|ROLLBACK\|END-READ\|DISPLAY\|UPLOAD\|END-DATA\|NULL-HANDLE\|NCOUNT\|RESIZE\|END-PROCESS\|REQUEST\|READ\|SEPARATE\|EQ\|INPUT\|DATA\|END-START\|STACK\|REINPUT\|INCDIC\|INCCONT\|END-IF\|WHEN\|END-BEFORE\|WHILE\|END-ENDFILE\|END-TOPPAGE\|INCDIR\|PARAMETER\|OBTAIN\|CALLDBPROC\|END-BROWSE\|MOVE\|SUBTRACT\|DLOGON\|EXAMINE\|SUBSTRING\|BEFORE\|STOP\|RUN\|END-BREAK\|EXPORT\|END-SUBROUTINE\|FOR\|GE\|PRINT\|BROWSE\|IMPORT\|EXPAND\|ALL\|PASSW\|FORMAT\|GT\|END-NOREC\|END-DECIDE\|END-FOR\|CALLNAT\|END-ALL\|OPTIONS\|RETRY\|NONE\|INCMAC\|END-FILE\|DECIDE\|INIT\|HISTOGRAM\|NAVER\|START\|ACCEPT\|COMMIT\|TOTAL\|IF\|FRAC\|END-REPEAT\|UNTIL\|TO\|INTO\|WITH\|DELIMITER\|FIRST\|OF\|INTO\|SUBROUTINE\|GIVING\|POSITION)\b(?!-)">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="(^\|(?<=[^\w\-]))(WORKING-STORAGE\|IDENTIFICATION\|LOCAL-STORAGE\|CONFIGURATION\|END-EVALUATE\|FILE-CONTROL\|END-UNSTRING\|END-SUBTRACT\|END-MULTIPLY\|INPUT-OUTPUT\|END-PERFORM\|END-DISPLAY\|END-OF-PAGE\|END-COMPUTE\|ENVIRONMENT\|I-O-CONTROL\|END-REWRITE\|END-RETURN\|INITIALIZE\|END-ACCEPT\|END-DIVIDE\|PROGRAM-ID\|END-STRING\|END-DELETE\|END-SEARCH\|END-WRITE\|PROCEDURE\|END-START\|TERMINATE\|END-READ\|MULTIPLY\|CONTINUE\|SUPPRESS\|SUBTRACT\|INITIATE\|UNSTRING\|DIVISION\|VALIDATE\|END-CALL\|ALLOCATE\|GENERATE\|EVALUATE\|PERFORM\|FOREVER\|LINKAGE\|END-ADD\|REWRITE\|INSPECT\|SECTION\|RELEASE\|COMPUTE\|DISPLAY\|END-IF\|GOBACK\|INVOKE\|CANCEL\|UNLOCK\|SCREEN\|SEARCH\|DELETE\|STRING\|DIVIDE\|ACCEPT\|RETURN\|RESUME\|START\|RAISE\|MERGE\|CLOSE\|WRITE\|FILE\|STOP\|FREE\|READ\|ELSE\|THEN\|SORT\|EXIT\|OPEN\|CALL\|MOVE\|DATA\|END\|SET\|ADD\|USE\|GO\|FD\|SD\|IF)\s*($\|(?=[^\w\-]))">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="(^\|(?<=[^\w\-]))(WORKING-STORAGE\|IDENTIFICATION\|LOCAL-STORAGE\|CONFIGURATION\|END-EVALUATE\|FILE-CONTROL\|END-UNSTRING\|END-SUBTRACT\|END-MULTIPLY\|INPUT-OUTPUT\|END-PERFORM\|END-DISPLAY\|END-OF-PAGE\|END-COMPUTE\|ENVIRONMENT\|I-O-CONTROL\|END-REWRITE\|END-RETURN\|INITIALIZE\|END-ACCEPT\|END-DIVIDE\|PROGRAM-ID\|END-STRING\|END-DELETE\|END-SEARCH\|END-WRITE\|PROCEDURE\|END-START\|TERMINATE\|END-READ\|MULTIPLY\|CONTINUE\|SUPPRESS\|SUBTRACT\|INITIATE\|UNSTRING\|DIVISION\|VALIDATE\|END-CALL\|ALLOCATE\|GENERATE\|EVALUATE\|PERFORM\|FOREVER\|LINKAGE\|END-ADD\|REWRITE\|INSPECT\|SECTION\|RELEASE\|COMPUTE\|DISPLAY\|END-IF\|GOBACK\|INVOKE\|CANCEL\|UNLOCK\|SCREEN\|SEARCH\|DELETE\|STRING\|DIVIDE\|ACCEPT\|RETURN\|RESUME\|START\|RAISE\|MERGE\|CLOSE\|WRITE\|FILE\|STOP\|FREE\|READ\|ELSE\|THEN\|SORT\|EXIT\|OPEN\|CALL\|MOVE\|DATA\|END\|SET\|ADD\|USE\|GO\|FD\|SD\|IF)\s*($\|(?=[^\w\-]))">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="\b(use-glyph-orientation\|decimal-leading-zero\|ruby-base-container\|ruby-text-container\|table-column-group\|table-header-group\|geometricPrecision\|table-footer-group\|optimizeLegibility\|alternate-reverse\|repeat no-repeat\|table-row-group\|all-petite-caps\|ultra-condensed\|extra-condensed\|box-decoration\|sideways-right\|extra-expanded\|no-close-quote\|all-small-caps\|semi-condensed\|ultra-expanded\|column-reverse\|space-between\|semi-expanded\|table-caption\|no-open-quote\|sideways-left\|double-circle\|vertical-text\|optimizeSpeed\|weight style\|currentColor\|titling-caps\|match-parent\|table-column\|line-through\|inline-block\|inline-table\|wrap-reverse\|avoid-column\|manipulation\|space-around\|context-menu\|lower-alpha\|row-reverse\|not-allowed\|content-box\|ease-in-out\|close-quote\|lower-latin\|crisp-edges\|lower-roman\|lower-greek\|upper-alpha\|upper-latin\|upper-roman\|nwse-resize\|nesw-resize\|preserve-3d\|inline-flex\|petite-caps\|color-dodge\|descendants\|padding-box\|capitalize\|small-caps\|difference\|inter-word\|step-start\|all-scroll\|stroke-box\|soft-light\|margin-box\|open-quote\|table-cell\|row-resize\|border-box\|hard-light\|break-word\|color-burn\|luminosity\|full-width\|col-resize\|from-image\|avoid-page\|scale-down\|saturation\|sans-serif\|flex-start\|distribute\|horizontal\|alternate\|ruby-text\|force-end\|list-item\|se-resize\|mandatory\|exclusion\|ns-resize\|underline\|ruby-base\|ew-resize\|condensed\|container\|uppercase\|no-repeat\|nw-resize\|table-row\|backwards\|crosshair\|proximity\|sw-resize\|lowercase\|allow-end\|each-line\|monospace\|pixelated\|ne-resize\|luminance\|pan-right\|ellipsis\|pan-down\|pan-left\|overline\|multiply\|progress\|relative\|infinite\|repeat-x\|repeat-y\|georgian\|forwards\|flex-end\|s-resize\|fill-box\|expanded\|separate\|ease-out\|sideways\|e-resize\|step-end\|n-resize\|collapse\|triangle\|baseline\|view-box\|w-resize\|armenian\|absolute\|xx-large\|xx-small\|vertical\|zoom-out\|contain\|ease-in\|running\|no-drop\|zoom-in\|unicase\|hanging\|smaller\|x-large\|overlay\|compact\|lighter\|lighten\|objects\|oblique\|x-small\|reverse\|stretch\|upright\|cursive\|inherit\|initial\|outside\|pointer\|decimal\|default\|justify\|visible\|balance\|isolate\|fantasy\|paused\|static\|pan-up\|invert\|inside\|italic\|weight\|inline\|hidden\|outset\|larger\|repeat\|always\|spaces\|sticky\|circle\|digits\|linear\|column\|smooth\|nowrap\|bolder\|normal\|sesame\|dashed\|groove\|darken\|bottom\|run-in\|manual\|dotted\|double\|medium\|filled\|screen\|scroll\|center\|strict\|square\|edges\|serif\|start\|thick\|first\|clone\|fixed\|slice\|small\|under\|unset\|block\|color\|round\|solid\|space\|right\|ridge\|blink\|below\|pan-y\|avoid\|large\|cover\|inset\|alpha\|local\|alias\|style\|loose\|table\|mixed\|pan-x\|page\|ruby\|disc\|none\|snap\|ease\|text\|show\|thin\|clip\|left\|open\|wrap\|fill\|cell\|flat\|flex\|flip\|last\|both\|help\|bold\|over\|hide\|wait\|icon\|move\|auto\|copy\|wavy\|top\|ltr\|row\|rtl\|end\|hue\|dot\|off\|all\|ink\|to\|on)\b">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <push state="function-start"/>
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <state name="function-start">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="(use-glyph-orientation\|decimal-leading-zero\|ruby-base-container\|ruby-text-container\|table-column-group\|table-header-group\|geometricPrecision\|table-footer-group\|optimizeLegibility\|alternate-reverse\|repeat no-repeat\|table-row-group\|all-petite-caps\|ultra-condensed\|extra-condensed\|box-decoration\|sideways-right\|extra-expanded\|no-close-quote\|all-small-caps\|semi-condensed\|ultra-expanded\|column-reverse\|space-between\|semi-expanded\|table-caption\|no-open-quote\|sideways-left\|double-circle\|vertical-text\|optimizeSpeed\|weight style\|currentColor\|titling-caps\|match-parent\|table-column\|line-through\|inline-block\|inline-table\|wrap-reverse\|avoid-column\|manipulation\|space-around\|context-menu\|lower-alpha\|row-reverse\|not-allowed\|content-box\|ease-in-out\|close-quote\|lower-latin\|crisp-edges\|lower-roman\|lower-greek\|upper-alpha\|upper-latin\|upper-roman\|nwse-resize\|nesw-resize\|preserve-3d\|inline-flex\|petite-caps\|color-dodge\|descendants\|padding-box\|capitalize\|small-caps\|difference\|inter-word\|step-start\|all-scroll\|stroke-box\|soft-light\|margin-box\|open-quote\|table-cell\|row-resize\|border-box\|hard-light\|break-word\|color-burn\|luminosity\|full-width\|col-resize\|from-image\|avoid-page\|scale-down\|saturation\|sans-serif\|flex-start\|distribute\|horizontal\|alternate\|ruby-text\|force-end\|list-item\|se-resize\|mandatory\|exclusion\|ns-resize\|underline\|ruby-base\|ew-resize\|condensed\|container\|uppercase\|no-repeat\|nw-resize\|table-row\|backwards\|crosshair\|proximity\|sw-resize\|lowercase\|allow-end\|each-line\|monospace\|pixelated\|ne-resize\|luminance\|pan-right\|ellipsis\|pan-down\|pan-left\|overline\|multiply\|progress\|relative\|infinite\|repeat-x\|repeat-y\|georgian\|forwards\|flex-end\|s-resize\|fill-box\|expanded\|separate\|ease-out\|sideways\|e-resize\|step-end\|n-resize\|collapse\|triangle\|baseline\|view-box\|w-resize\|armenian\|absolute\|xx-large\|xx-small\|vertical\|zoom-out\|contain\|ease-in\|running\|no-drop\|zoom-in\|unicase\|hanging\|smaller\|x-large\|overlay\|compact\|lighter\|lighten\|objects\|oblique\|x-small\|reverse\|stretch\|upright\|cursive\|inherit\|initial\|outside\|pointer\|decimal\|default\|justify\|visible\|balance\|isolate\|fantasy\|paused\|static\|pan-up\|invert\|inside\|italic\|weight\|inline\|hidden\|outset\|larger\|repeat\|always\|spaces\|sticky\|circle\|digits\|linear\|column\|smooth\|nowrap\|bolder\|normal\|sesame\|dashed\|groove\|darken\|bottom\|run-in\|manual\|dotted\|double\|medium\|filled\|screen\|scroll\|center\|strict\|square\|edges\|serif\|start\|thick\|first\|clone\|fixed\|slice\|small\|under\|unset\|block\|color\|round\|solid\|space\|right\|ridge\|blink\|below\|pan-y\|avoid\|large\|cover\|inset\|alpha\|local\|alias\|style\|loose\|table\|mixed\|pan-x\|page\|ruby\|disc\|none\|snap\|ease\|text\|show\|thin\|clip\|left\|open\|wrap\|fill\|cell\|flat\|flex\|flip\|last\|both\|help\|bold\|over\|hide\|wait\|icon\|move\|auto\|copy\|wavy\|top\|ltr\|row\|rtl\|end\|hue\|dot\|off\|all\|ink\|to\|on)\b">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <push state="value-start"/>
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <state name="value-start">
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: <rule pattern="\b(no-discretionary-ligatures\|no-historical-ligatures\|discretionary-ligatures\|simp-chinese-informal\|trad-chinese-informal\|korean-hanja-informal\|historical-ligatures\|korean-hangul-formal\|decimal-leading-zero\|korean-hanja-formal\|ruby-text-container\|ruby-base-container\|no-common-ligatures\|trad-chinese-formal\|simp-chinese-formal\|cjk-earthly-branch\|geometricPrecision\|optimizeLegibility\|table-header-group\|table-footer-group\|diagonal-fractions\|table-column-group\|proportional-width\|disclosure-closed\|stacked-fractions\|japanese-informal\|alternate-reverse\|cjk-heavenly-stem\|proportional-nums\|slider-horizontal\|ideograph-numeric\|common-ligatures\|isolate-override\|ethiopic-numeric\|ideograph-alpha\|table-row-group\|all-petite-caps\|cjk-ideographic\|inter-character\|ultra-condensed\|scroll-position\|extra-condensed\|japanese-formal\|disclosure-open\|menulist-button\|upper-armenian\|lower-armenian\|extra-expanded\|semi-condensed\|space-adjacent\|all-small-caps\|discard-before\|katakana-iroha\|full-size-kana\|no-close-quote\|ultra-expanded\|hiragana-iroha\|target-counter\|column-reverse\|spelling-error\|grammar-error\|optimizeSpeed\|discard-after\|no-contextual\|trim-adjacent\|table-caption\|square-button\|semi-expanded\|border-bottom\|ui-sans-serif\|double-circle\|vertical-text\|outside-shape\|horizontal-tb\|no-open-quote\|space-between\|small-caption\|oldstyle-nums\|bidi-override\|progress-bar\|match-parent\|line-through\|space-around\|inline-table\|inline-block\|high-quality\|space-evenly\|table-column\|currentColor\|arabic-indic\|ui-monospace\|rotate-right\|inline-start\|avoid-region\|avoid-column\|match-source\|manipulation\|tabular-nums\|context-menu\|slashed-zero\|cubic-bezier\|titling-caps\|wrap-reverse\|color-dodge\|sideways-lr\|no-compress\|space-first\|searchfield\|lining-nums\|fit-content\|ease-in-out\|punctuation\|min-content\|petite-caps\|crisp-edges\|push-button\|translate3d\|row-reverse\|perspective\|max-content\|nesw-resize\|not-allowed\|preserve-3d\|space-start\|drop-shadow\|padding-box\|text-bottom\|rotate-left\|block-start\|inline-grid\|inline-flex\|upper-latin\|upper-alpha\|lower-latin\|auto
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: flow\|lower-alpha\|message-box\|lower-greek\|upper-roman\|lower-roman\|vertical-rl\|traditional\|justify-all\|close-quote\|content-box\|vertical-lr\|cjk-decimal\|transparent\|sideways-rl\|target-text\|balance-all\|ideographic\|nwse-resize\|saturation\|flex-start\|open-quote\|from-image\|avoid-flex\|avoid-line\|stroke-box\|ui-rounded\|margin-box\|self-start\|inline-end\|devanagari\|avoid-page\|status-bar\|all-scroll\|col-resize\|row-resize\|translateZ\|translateY\|translateX\|hue-rotate\|small-caps\|brightness\|step-start\|capitalize\|trim-start\|trim-inner\|sans-serif\|scale-down\|contextual\|break-word\|horizontal\|inter-word\|color-burn\|cross-fade\|hard-light\|soft-light\|border-box\|table-cell\|luminosity\|full-width\|difference\|simplified\|alphabetic\|mandatory\|exclusion\|from-font\|table-row\|flow-root\|underline\|image-set\|proximity\|ruby-base\|ruby-text\|list-item\|monospace\|intersect\|ns-resize\|textfield\|ew-resize\|uppercase\|sw-resize\|se-resize\|nw-resize\|lowercase\|grayscale\|ne-resize\|pan-right\|translate\|backwards\|available\|luminance\|condensed\|alternate\|mongolian\|plaintext\|malayalam\|cambodian\|transform\|block-end\|force-end\|break-all\|crosshair\|allow-end\|no-repeat\|pixelated\|system-ui\|xxx-large\|space-end\|w-resize\|georgian\|flex-end\|baseline\|gujarati\|fangsong\|ui-serif\|fill-box\|keep-all\|view-box\|xx-small\|gurmukhi\|pre-line\|pre-wrap\|contents\|xx-large\|text-top\|hiragana\|self-end\|katakana\|collapse\|separate\|anywhere\|saturate\|expanded\|subtract\|progress\|repeat-x\|rotate3d\|repeat-y\|contrast\|relative\|forwards\|infinite\|absolute\|matrix3d\|vertical\|overline\|pan-down\|pan-left\|step-end\|triangle\|ease-out\|textarea\|sideways\|checkbox\|menulist\|ellipsis\|trim-end\|grabbing\|multiply\|zoom-out\|n-resize\|s-resize\|armenian\|ordinal\|zoom-in\|visible\|overlay\|no-drop\|listbox\|unicode\|lighten\|ease-in\|lighter\|element\|running\|justify\|display\|fantasy\|unicase\|subgrid\|reverse\|upright\|stretch\|rotateX\|current\|exclude\|rotateY\|pointer\|contain\|opacity\|default\|no-clip\|in-flow\|hanging\|isolate\|discard\|tibetan\|persian\|myanmar\|rotateZ\|content\|inherit\|outside\|initial\|kannada\|smaller\|decimal\|symbols\|x-large\|balance\|x-small\|economy\|caption\|minimum\|maximum\|polygon\|ellipse\|cursive\|bengali\|masonry\|static\|region\|column\|run-in\|inline\|middle\|circle\|larger\|button\|square\|pretty\|always\|hidden\|rotate\|inside\|scroll\|screen\|matrix\|create\|unsafe\|center\|paused\|nowrap\|medium\|darken\|sesame\|strict\|outset\|pan-up\|bolder\|telugu\|scaleX\|linear\|scaleY\|groove\|double\|scaleZ\|dashed\|minmax\|legacy\|hebrew\|bottom\|dotted\|leader\|normal\|stable\|weight\|smooth\|filled\|italic\|revert\|manual\|repeat\|sticky\|invert\|table\|round\|space\|alias\|jis78\|dense\|sepia\|emoji\|auto;\|clear\|skewX\|cover\|right\|skewY\|style\|light\|unset\|force\|alpha\|large\|focus\|solid\|ridge\|white\|embed\|tamil\|blink\|first\|scale\|radio\|color\|jis83\|under\|block\|jis90\|inset\|start\|pan-y\|oriya\|super\|loose\|mixed\|thick\|slice\|pan-x\|khmer\|width\|local\|fixed\|clone\|avoid\|serif\|exact\|recto\|meter\|small\|verso\|jis04\|image\|flow\|flex\|grid\|ruby\|wrap\|ease\|safe\|grab\|move\|icon\|bold\|last\|open\|over\|wavy\|show\|hide\|both\|url;\|none\|blur\|text\|line\|menu\|copy\|dark\|left\|math\|cell\|clip\|fill\|
Source: LisectAVT_2403002A_476.exe	String found in binary or memory: /c\|real-part\|numerator\|hash-set\\|hash-set!\|boolean=\?\|read-line\|hash-ref!\|read-char\|read-cdot\|hash-keys\|hash-eqv\?\|partition\|path-only\|between/c\|peek-byte\|peek-char\|read-byte\|rational\?\|hash-copy\|positive\?\|weak-box\?\|print-box\|alarm-evt\|guard-evt\|promise/c\|prop:dict\|conjugate\|sequence\?\|in-range\|group-by\|set-eqv\?\|set-box!\|generic\?\|dict-map\|dict-ref\|channel\?\|hash-eq\?\|set-add!\|dict-set\|one-of/c\|box-cas!\|for-each\|make-exn\|set-copy\|hash-map\|hash-ref\|hash-set\|syntax-e\|integer\?\|set-rest\|inexact\?\|vectorof\|truncate\|stream/c\|string<\?\|string=\?\|symbol=\?\|string>\?\|symbol<\?\|vector/c\|prop:evt\|plumber\?\|pregexp\?\|identity\|in-value\|list-set\|in-bytes\|in-cycle\|weak-set\|in-slice\|date-day\|subbytes\|in-lines\|list-ref\|boolean\?\|udp-send\|promise\?\|process\\|keyword\?\|equal<%>\|object=\?\|compose1\|exn:fail\|in-mlist\|split-at\|syntax/c\|quotient\|wrap-evt\|complex\?\|char<=\?\|system\\|println\|syntax\?\|in-port\|compose\|in-list\|conjoin\|regexp\?\|bytes>\?\|process\|compile\|\list/c\|object%\|thread\?\|eof-evt\|load/cd\|logger\?\|struct\?\|pregexp\|bytes=\?\|in-hash\|in-dict\|srcloc\?\|list\of\|append\\|shuffle\|writeln\|call/cc\|hasheqv\|subset\?\|seventh\|char>=\?\|call/ec\|number\?\|bytes<\?\|string\?\|object\?\|symbol\?\|symbols\|version\|display\|disjoin\|stream\?\|vector\?\|fixnum\?\|arity=\?\|flatten\|flonum\?\|set-map\|reverse\|newline\|ceiling\|fprintf\|is-a\?/c\|future\?\|real-in\|char-in\|remove\\|set-eq\?\|set-add\|base->\?\|eprintf\|andmap\|modulo\|blame\?\|cdaadr\|cdaaar\|seteqv\|length\|eighth\|vector\|cadddr\|caddar\|date\\?\|cdaddr\|cadadr\|empty\?\|curryr\|cadaar\|caaddr\|in-set\|equal\?\|mpair\?\|list/c\|cddaar\|cddadr\|member\|argmax\|cons/c\|argmin\|listof\|caadar\|printf\|caaadr\|caaaar\|bytes\?\|system\|putenv\|exact\?\|expand\|class\?\|random\|srcloc\|cdddar\|false\?\|filter\|char>\?\|hasheq\|none/c\|second\|cddddr\|hash/c\|string\|place\?\|char=\?\|values\|char<\?\|negate\|append\|regexp\|cdadar\|fourth\|future\|banner\|gensym\|getenv\|remove\|thread\|format\|path<\?\|tenth\|third\|remf\\|path\?\|char\?\|ninth\|remq\\|pair\?\|ormap\|mcons\|assoc\|remv\\|round\|cdddr\|takef\|range\|cons\?\|cddar\|const\|list\?\|apply\|port\?\|count\|curry\|touch\|cdadr\|date\\|list\\|date\?\|findf\|is-a\?\|box/c\|set/c\|set=\?\|dict\?\|void\?\|null\?\|seteq\|dropf\|not/c\|caddr\|empty\|print\|cadar\|raise\|any/c\|byte\?\|caadr\|sixth\|angle\|and/c\|error\|caaar\|n->th\|sleep\|even\?\|evt/c\|write\|bytes\|unbox\|fifth\|unit\?\|first\|floor\|foldl\|foldr\|force\|real\?\|zero\?\|hash\?\|cdaar\|sinh\|nan\?\|udp\?\|caar\|cadr\|null\|hash\|rest\|box\?\|<=/c\|memv\|expt\|true\|memq\|cdar\|memf\|cddr\|odd\?\|exn\?\|or/c\|mcdr\|mcar\|if/c\|eqv\?\|exit\|remf\|remq\|atan\|assv\|assq\|remv\|assf\|asin\|pi\.f\|tanh\|>=/c\|take\|read\|acos\|load\|cons\|sort\|add1\|cosh\|date\|list\|evt\?\|eval\|last\|sync\|void\|set\?\|drop\|sub1\|sqrt\|sin\|sgn\|eof\|~\.a\|eq\?\|</c\|lcm\|set\|cos\|~\.s\|log\|abs\|tan\|~\.v\|gcd\|map\|xor\|=/c\|max\|cdr\|exp\|sqr\|box\|min\|car\|>/c\|not\|exn\|~v\|~s\|<=\|~r\|~e\|~a\|>=\|pi\|/\|\\|>\|\+\|=\|-\|<)(?=[()[\]{}",\'`;\s])">

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe "C:\Users\user\Desktop\LisectAVT_2403002A_476.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior

Source: LisectAVT_2403002A_476.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_476.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LisectAVT_2403002A_476.exe

Static file information: File size 52278280 > 1048576

Source: LisectAVT_2403002A_476.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1585800
Source: LisectAVT_2403002A_476.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x103000
Source: LisectAVT_2403002A_476.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a4e600

Source: LisectAVT_2403002A_476.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_476.exe, 00000001.00000002.2349220183.000000C0007F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345604969.000002A25EA40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000002.2350737713.000000C00082E000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345642713.000002A25EA00000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2346300993.00000000007C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_476.exe, 00000001.00000002.2349220183.000000C0007F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345604969.000002A25EA40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000002.2350737713.000000C00082E000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_476.exe, 00000001.00000003.2345642713.000002A25EA00000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2346300993.00000000007C0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0061B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,

3_2_0061B6E2

Source: LisectAVT_2403002A_476.exe

Static PE information: section name: .xdata

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0061D4F5 push ebp; retf	3_2_0061D4FE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0063A4D8 pushad ; retf	3_2_0063A4D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00639C4D push 7D10D5EFh; retf	3_2_00639C52

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0060BEDC rdtsc

3_2_0060BEDC

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6408	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3640	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2353624038.000002A2177F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348525768.00000000007A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0060BEDC rdtsc

3_2_0060BEDC

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0061B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,

3_2_0061B6E2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 600000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 600000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pooreveningfuseor.pw
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: problemregardybuiwo.fun
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: lighterepisodeheighte.fun
Source: LisectAVT_2403002A_476.exe, 00000001.00000002.2352645087.000000C000DDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: technologyenterdo.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 600000			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 530008			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_476.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: LisectAVT_2403002A_476.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.2358502353.00007FF629174000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2150034423.00007FF629174000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_476.exe PID: 4508, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: LisectAVT_2403002A_476.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.2358502353.00007FF629174000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2150034423.00007FF629174000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_476.exe PID: 4508, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_476.exe	100%	Avira	TR/Agent.wcutk

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://lighterepisodeheighte.fun/api	100%	Avira URL Cloud	malware
https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itgroup	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeportUse	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskWhenScaled	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#emptydirmatchLabels	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/nodes/node/#conditionKind	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/nodes/node/#phase	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#secretmonitors	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itGo	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-ow	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesValue	0%	Avira URL Cloud	safe
https://associationokeo.shop/	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/nodes/node/#addresses	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/policy/resource-quotas/List	0%	Avira URL Cloud	safe
https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.mdEntrypoint	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesClus	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podpodIPs	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/services-networking/service/An	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/api	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classesversion	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsThe	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/Route	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/EndpointSubset	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/containers/images.PodSecurityContext	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/Estimated	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/rbd/README.md(?	0%	Avira URL Cloud	safe
https://microsoftgraph.chinacloudapi.cnk8s.io.api.apps.v1.StatefulSetConditionsucceeded	0%	Avira URL Cloud	safe
http://beego.me/docs/module/toolbox.md	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesstatus	0%	Avira URL Cloud	safe
https://pooreveningfuseor.pw/api/api	100%	Avira URL Cloud	malware
technologyenterdo.shop	100%	Avira URL Cloud	malware
https://www.iana.org/assignments/service-names).	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#nfsDeprecated.	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/	0%	Avira URL Cloud	safe
https://edurestunningcrackyow.fun/	0%	Avira URL Cloud	safe
https://gohugo.io/methods/page/path/readOnly	0%	Avira URL Cloud	safe
https://associationokeo.shop/apisf	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/If	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/tasks/administer-cluster/namespaces/secretFile	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsMinimum	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#emptydirpersistentVolumeReclaimPolicy	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.mdRegisting	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesVerbs	0%	Avira URL Cloud	safe
https://web.whatsapp.comserver	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phaseThe	0%	Avira URL Cloud	safe
https://github.com/go-sql-driver/mysql/wiki/old_passwordsreadOnly	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/Represents	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-cont	0%	Avira URL Cloud	safe
https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netk8s.io.api.apps.	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-statusLimits	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsIf	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks	0%	Avira URL Cloud	safe
https://associationokeo.shop//	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesOwnerReference	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskStatus	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsvolum	0%	Avira URL Cloud	safe
https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab	0%	Avira URL Cloud	safe
https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration	0%	Avira URL Cloud	safe
problemregardybuiwo.fun	0%	Avira URL Cloud	safe
https://edurestunningcrackyow.fun/apidl	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#nfs	0%	Avira URL Cloud	safe
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.com&ControllerRevisionList	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/Deprecated:	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#rbdEstimated	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityThe	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.mdSecretReference	0%	Avira URL Cloud	safe
https://issues.k8s.io/61966Path	0%	Avira URL Cloud	safe
https://edurestunningcrackyow.fun/S	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooksHostProcess	0%	Avira URL Cloud	safe
https://golang.org/pkg/unicode/#IsPrint.	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicati	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/persistent-volumesItems	0%	Avira URL Cloud	safe
https://pooreveningfuseor.pw/api	100%	Avira URL Cloud	malware
http://beego.me/docs/advantage/monitor.md	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/architecture/nodes/#capacity	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsReceived	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/spec	0%	Avira URL Cloud	safe
https://examples.k8s.io/mysql-cinder-pd/README.mdAPIVersions	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesCount	0%	Avira URL Cloud	safe
edurestunningcrackyow.fun	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindscurre	0%	Avira URL Cloud	safe
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	0%	Avira URL Cloud	safe
https://github.com/go-sql-driver/mysql/wiki/strict-mode	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podWhether	0%	Avira URL Cloud	safe
https://github.com/grpc/grpc/blob/master/doc/health-checking.md).	0%	Avira URL Cloud	safe
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types	0%	Avira URL Cloud	safe
https://edurestunningcrackyow.fun/~	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusp	0%	Avira URL Cloud	safe
associationokeo.shop	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templatekind	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statust	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.mdIf	0%	Avira URL Cloud	safe
https://lighterepisodeheighte.fun/apiZ	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edurestunningcrackyow.fun	unknown	unknown	true	unknown
problemregardybuiwo.fun	unknown	unknown	true	unknown
turkeyunlikelyofw.shop	unknown	unknown	true	unknown
lighterepisodeheighte.fun	unknown	unknown	true	unknown
technologyenterdo.shop	unknown	unknown	true	unknown
detectordiscusser.shop	unknown	unknown	true	unknown
pooreveningfuseor.pw	unknown	unknown	true	unknown
associationokeo.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
technologyenterdo.shop	true	Avira URL Cloud: malware	unknown
problemregardybuiwo.fun	true	Avira URL Cloud: safe	unknown
edurestunningcrackyow.fun	true	Avira URL Cloud: safe	unknown
associationokeo.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lighterepisodeheighte.fun/api	BitLockerToGo.exe, 00000003.00000002.2348525768.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itgroup	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#secretmonitors	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeportUse	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskWhenScaled	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/nodes/node/#conditionKind	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itGo	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/nodes/node/#phase	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#emptydirmatchLabels	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-ow	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop/	BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesValue	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/nodes/node/#addresses	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/services-networking/service/An	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podpodIPs	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesClus	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.mdEntrypoint	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classesversion	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/api	BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/policy/resource-quotas/List	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsThe	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
http://beego.me/docs/module/toolbox.md	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/rbd/README.md(?	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/Route	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/EndpointSubset	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/Estimated	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/containers/images.PodSecurityContext	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://microsoftgraph.chinacloudapi.cnk8s.io.api.apps.v1.StatefulSetConditionsucceeded	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesstatus	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://www.iana.org/assignments/service-names).	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://pooreveningfuseor.pw/api/api	BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://gohugo.io/methods/page/path/readOnly	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#nfsDeprecated.	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://edurestunningcrackyow.fun/	BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/tasks/administer-cluster/namespaces/secretFile	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop/apisf	BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/If	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsMinimum	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.mdRegisting	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesVerbs	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#emptydirpersistentVolumeReclaimPolicy	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://web.whatsapp.comserver	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://github.com/go-sql-driver/mysql/wiki/old_passwordsreadOnly	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phaseThe	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/Represents	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-cont	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-statusLimits	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netk8s.io.api.apps.	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsIf	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesOwnerReference	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop//	BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskStatus	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsvolum	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://edurestunningcrackyow.fun/apidl	BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#nfs	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/Deprecated:	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.com&ControllerRevisionList	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#rbdEstimated	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityThe	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.mdSecretReference	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://golang.org/pkg/unicode/#IsPrint.	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://issues.k8s.io/61966Path	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooksHostProcess	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://edurestunningcrackyow.fun/S	BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicati	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumesItems	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
http://beego.me/docs/advantage/monitor.md	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://pooreveningfuseor.pw/api	BitLockerToGo.exe, 00000003.00000003.2347756071.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348578653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/architecture/nodes/#capacity	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/spec	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/mysql-cinder-pd/README.mdAPIVersions	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsReceived	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesCount	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindscurre	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podWhether	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://github.com/go-sql-driver/mysql/wiki/strict-mode	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://github.com/grpc/grpc/blob/master/doc/health-checking.md).	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusp	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://edurestunningcrackyow.fun/~	BitLockerToGo.exe, 00000003.00000003.2347977340.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2348695846.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2348128184.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statust	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templatekind	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.mdIf	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown
https://lighterepisodeheighte.fun/apiZ	BitLockerToGo.exe, 00000003.00000002.2348525768.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions	LisectAVT_2403002A_476.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482217
Start date and time:	2024-07-25 19:37:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_476.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@8/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 21 Number of non-executed functions: 82
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: LisectAVT_2403002A_476.exe

Simulations

Behavior and APIs

Time	Type	Description
13:38:21	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.928332997665232
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	LisectAVT_2403002A_476.exe
File size:	52'278'280 bytes
MD5:	642e53c26caa22594f194d6fd6f741d2
SHA1:	6841a765638a5c14ce3d72d659648cda1a0994d1
SHA256:	f7299491506a4658453d0614c307687d24a5af81d97140e7d8767c5421ce3b24
SHA512:	453354f161525259125cf2217fba7ee88eea7d4bd56490250c95b74f71be5ae2f6dd8c1516236bde365e7245c5e3121ed7c6e462692cf37590276c599fd9e687
SSDEEP:	196608:1lXXV2cKzAYr/ueCsnNJGR9COscQf5hphPd6W/C4fraetS3afpi0VbINDi:/F2cCAYVFNDOLQRhp3g4fraeS3axVRI
TLSH:	B4B73957F8A44C94E8A9C138C5618612FE72BC695B3427D33A64F7252F3EBD09A7E700
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.XX....................@.............................0).....I.....`... ............................

File Icon


Icon Hash:	3331f1959e91d14b

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x4157b120, 0x1, 0x4157b0f0, 0x1, 0x4157eba0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	7c2fe60df21c5bf7048fa4a414b9ecb8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [030D67D5h]
mov dword ptr [eax], 00000001h
call 00007F26394BA38Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [030D67B5h]
mov dword ptr [eax], 00000000h
call 00007F26394BA36Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F263AA3F0D4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F26394BA6A9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and dh, byte ptr [edx]
jne 00007F26394BA717h
popad
xor al, 50h
jnc 00007F26394BA742h
xor al, 35h
push esi
xor byte ptr [edx+4Ch], ah
insb
push eax
push esi
cmp byte ptr [edi+32h], dh
das
inc ecx
jp 00007F26394BA723h
push eax
inc ebp
pop eax
imul ebp, dword ptr [6E6D4447h], 496F6D49h
push eax
dec ecx
dec edi
xor byte ptr [edi], ch
xor cl, byte ptr [esi+4Eh]
imul eax, dword ptr [esi+6Ah], 67h
aaa
jno 00007F26394BA728h
insb
xor bh, byte ptr [eax+5Fh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x31f9000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31fa000	0x1484	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31fe000	0xf8d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x30d9000	0x6d9f8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x320e000	0x84308	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x30d7600	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31fa49c	0x460	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15856c0	0x1585800	6417641fee0c8fae1cf2d23d73b66755	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1587000	0x102f90	0x103000	cc02e42bb12f1ede07db56e118b7afd0	False	0.27056625542953666	dBase III DBT, version number 0, next free block index 10, 1st item "Igqz0ClEp6aQ="	4.896175437091791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x168a000	0x1a4e430	0x1a4e600	74d13ede7f846ab7e522b4eeba9d88b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x30d9000	0x6d9f8	0x6da00	e490ea0c597bbf0f5766f261ef520972	False	0.3936404290193843	data	6.093801503052402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x3147000	0xc50	0xe00	72f00816ee44a2c755faf096d91676ef	False	0.2583705357142857	data	4.000837251226382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x3148000	0xb0e00	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x31f9000	0x4e	0x200	90a1d3534398e00970fc6e34d838a7cf	False	0.091796875	data	0.7296780309167858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x31fa000	0x1484	0x1600	57eec2be9bad131b4abb8a7221164c6e	False	0.2998934659090909	data	4.642690062767796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x31fc000	0x70	0x200	c0480b52149b2ae5110d58c172273c25	False	0.0859375	data	0.49024517705587084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x31fd000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x31fe000	0xf8d4	0xfa00	f133362ea24bb613b32e7692f7150870	False	0.317109375	data	3.9834081369511525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x320e000	0x84308	0x84400	4f30c5b13bbe6b55dbc22f3e4cecbb34	False	0.10664653237240075	data	5.4430701355301725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x31fe370	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.45564516129032256
RT_ICON	0x31fe658	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.6081081081081081
RT_ICON	0x31fe780	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.36087420042643925
RT_ICON	0x31ff628	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.48736462093862815
RT_ICON	0x31ffed0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.6040462427745664
RT_ICON	0x3200438	0x2522	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9592888701872502
RT_ICON	0x320295c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.11265942371280113
RT_ICON	0x3206b84	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.14979253112033195
RT_ICON	0x320912c	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.1878698224852071
RT_ICON	0x320ab94	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.22326454033771106
RT_ICON	0x320bc3c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.2905737704918033
RT_ICON	0x320c5c4	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.34186046511627904
RT_ICON	0x320cc7c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.3962765957446808
RT_GROUP_ICON	0x320d0e4	0xbc	data			0.6542553191489362
RT_VERSION	0x320d1a0	0x400	data	English	United States	0.3818359375
RT_MANIFEST	0x320d5a0	0x334	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.46707317073170734

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerA, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_0000000000000000	1	0x1431f8030

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T19:38:19.324971+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	20.114.59.183	192.168.2.6
2024-07-25T19:38:22.231012+0200	UDP	2051470	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fun)	49490	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:22.241456+0200	UDP	2050998	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop)	53603	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:22.312245+0200	UDP	2050956	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop)	64458	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:56.937258+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49718	20.114.59.183	192.168.2.6
2024-07-25T19:38:22.322115+0200	UDP	2050952	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop)	64837	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:22.301510+0200	UDP	2050953	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw)	54381	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:22.283519+0200	UDP	2051473	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun)	50925	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:22.252967+0200	UDP	2050955	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun)	53573	53	192.168.2.6	1.1.1.1
2024-07-25T19:38:22.265044+0200	UDP	2050996	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)	58716	53	192.168.2.6	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 19:38:22.231012106 CEST	49490	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.239115000 CEST	53	49490	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.241456032 CEST	53603	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.249692917 CEST	53	53603	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.252966881 CEST	53573	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.261265039 CEST	53	53573	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.265043974 CEST	58716	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.281788111 CEST	53	58716	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.283519030 CEST	50925	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.299778938 CEST	53	50925	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.301510096 CEST	54381	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.310508013 CEST	53	54381	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.312244892 CEST	64458	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.320432901 CEST	53	64458	1.1.1.1	192.168.2.6
Jul 25, 2024 19:38:22.322114944 CEST	64837	53	192.168.2.6	1.1.1.1
Jul 25, 2024 19:38:22.330202103 CEST	53	64837	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 19:38:22.231012106 CEST	192.168.2.6	1.1.1.1	0x1610	Standard query (0)	lighterepisodeheighte.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.241456032 CEST	192.168.2.6	1.1.1.1	0xed10	Standard query (0)	technologyenterdo.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.252966881 CEST	192.168.2.6	1.1.1.1	0x46b6	Standard query (0)	problemregardybuiwo.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.265043974 CEST	192.168.2.6	1.1.1.1	0x926f	Standard query (0)	detectordiscusser.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.283519030 CEST	192.168.2.6	1.1.1.1	0x58a6	Standard query (0)	edurestunningcrackyow.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.301510096 CEST	192.168.2.6	1.1.1.1	0x66c1	Standard query (0)	pooreveningfuseor.pw	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.312244892 CEST	192.168.2.6	1.1.1.1	0x98f6	Standard query (0)	turkeyunlikelyofw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.322114944 CEST	192.168.2.6	1.1.1.1	0x6bb3	Standard query (0)	associationokeo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 19:38:22.239115000 CEST	1.1.1.1	192.168.2.6	0x1610	Name error (3)	lighterepisodeheighte.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.249692917 CEST	1.1.1.1	192.168.2.6	0xed10	Name error (3)	technologyenterdo.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.261265039 CEST	1.1.1.1	192.168.2.6	0x46b6	Name error (3)	problemregardybuiwo.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.281788111 CEST	1.1.1.1	192.168.2.6	0x926f	Name error (3)	detectordiscusser.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.299778938 CEST	1.1.1.1	192.168.2.6	0x58a6	Name error (3)	edurestunningcrackyow.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.320432901 CEST	1.1.1.1	192.168.2.6	0x98f6	Name error (3)	turkeyunlikelyofw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:38:22.330202103 CEST	1.1.1.1	192.168.2.6	0x6bb3	Name error (3)	associationokeo.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	13:38:01
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_476.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_476.exe"
Imagebase:	0x7ff626bf0000
File size:	52'278'280 bytes
MD5 hash:	642E53C26CAA22594F194D6FD6F741D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000001.00000002.2353353315.000000C001082000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000001.00000002.2358502353.00007FF629174000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000001.00000000.2150034423.00007FF629174000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:38:21
Start date:	25/07/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0xbc0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.6%
Total number of Nodes:	58
Total number of Limit Nodes:	6

Executed Functions

Function 00633EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00634011
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0063406E

Strings

,, xrefs: 00633FE8
@, xrefs: 00633F5E

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,$@
API String ID: 292159236-1227015840
Opcode ID: 1d5ac823b580dcbc43210ea66a9b074ef5eb0b732119e61682b48aed854099b0
Instruction ID: 67639bfb7e96cce6d88e067860ba24b57da3aa448a0b0322135c5efa6322ec74
Opcode Fuzzy Hash: 1d5ac823b580dcbc43210ea66a9b074ef5eb0b732119e61682b48aed854099b0
Instruction Fuzzy Hash: 9E4167B1108305AFE710CF14CC44B5ABBE5FF85368F549A0CF5A48B3E0E7759A088B96

Function 00630E9D Relevance: 6.1, APIs: 4, Instructions: 127
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00630F44
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00630F7F

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 5dbfc1cb93d365c69a536d03eaf5de979b6e244bf056b8845ed4201e1f2b894c
Instruction ID: 39a745d647074fd8ca2bf02195213166f712adfbde25970ae9aa8c04652db307
Opcode Fuzzy Hash: 5dbfc1cb93d365c69a536d03eaf5de979b6e244bf056b8845ed4201e1f2b894c
Instruction Fuzzy Hash: 395137741193429FE710CF04D868B5BBBE5FB85714F24490CF6A59B2E0C7B4994CCB92

Function 006317F2 Relevance: 6.1, APIs: 4, Instructions: 121
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0063188E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006318C1
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00631964
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00631997

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 40f3f6d68c96ef95223e039b6917e59bc45cd837b22e742ece153629aae9a735
Instruction ID: 60636e270e9bb491439a7840ac515f4884ec59b18175ce4c9d1016adafeaf15e
Opcode Fuzzy Hash: 40f3f6d68c96ef95223e039b6917e59bc45cd837b22e742ece153629aae9a735
Instruction Fuzzy Hash: B94134742193069FE300CF04C854B2BBBE5FB86754F24991CF5A19B2E0D774D948CBA6

Function 006341A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00634252
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0063429A

Strings

$, xrefs: 00634227

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 9e5b6bff7894702c98c1a3966f675dd846ce14db95ff52049ad4546013931d7f
Instruction ID: 413ac77bd1cd1f29ae53d982cb7082dfcded147bdfa3850c32d6a15cb82986dd
Opcode Fuzzy Hash: 9e5b6bff7894702c98c1a3966f675dd846ce14db95ff52049ad4546013931d7f
Instruction Fuzzy Hash: 38315C74209305AFE310DF15DC80B6ABBE9EF86714F24991CFA949B3D0D771E9448B92

Function 00634090 Relevance: 3.1, APIs: 2, Instructions: 85
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00634133
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00634177

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 55c3f4d4b72938fb24263fa594d08f19f04257600724e27d5c513f0a1627cfbf
Instruction ID: e412d11dadbfd78d46544e066612610d07bcc4e95d38b23a31b158cfdaf478e0
Opcode Fuzzy Hash: 55c3f4d4b72938fb24263fa594d08f19f04257600724e27d5c513f0a1627cfbf
Instruction Fuzzy Hash: B2318F75208706AFD700CF04DC44B6ABBE9EB85360F14861CF9A4973E0D770E908CBA2

Function 00616010 Relevance: 3.1, APIs: 2, Instructions: 69
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006160AD
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006160DF

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 86680074fbbe3690bd397b9dec6b1e1e97ceb955884401ac1b1fdb3fd6ff9008
Instruction ID: daafd59298b27070413df7c2b132ee0efb1225c81e1abff7d15cd3fb082b68a6
Opcode Fuzzy Hash: 86680074fbbe3690bd397b9dec6b1e1e97ceb955884401ac1b1fdb3fd6ff9008
Instruction Fuzzy Hash: E8215B74109305ABD300DF15DC54B5BBBE9EB89764F24891CF5A4873D0D3769848CBA2

Function 0060A7C0 Relevance: 3.0, Strings: 2, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

name="atok" value=", xrefs: 0060A7E4, 0060AD5E
act=life, xrefs: 0060A90E, 0060AA1C

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: act=life$name="atok" value="
API String ID: 0-1821706235
Opcode ID: 792f4da7e4035289c918d598a151142c232117e15a3546bcc47a91e2dd5d1a2a
Instruction ID: 3aba888f834106af130f67e4b73e21a11868b05005ff1db5d2683f0866b3ebf9
Opcode Fuzzy Hash: 792f4da7e4035289c918d598a151142c232117e15a3546bcc47a91e2dd5d1a2a
Instruction Fuzzy Hash: 2222CCB01047818FC325CF29D4906A3BFF2AB5A314B19968DC4E54B7A3D374E946CFA2

Function 006316EC Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 0063176C

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 24ab7876954750fc1125418753707d8692d60a198f94cdeb7af0f86eefa46a58
Instruction ID: 5c4206ba2ffacb93b9b7cbf929a3444c71acd022ccb3869063af09350e46451c
Opcode Fuzzy Hash: 24ab7876954750fc1125418753707d8692d60a198f94cdeb7af0f86eefa46a58
Instruction Fuzzy Hash: 2B014F71698341BEE7249F00DC07F1A7BB2AB81B15F608A1CF260691F5D7F269048F55

Function 006314BF Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000004), ref: 006314DA

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 5e6128f1d2a20627cfdafed8658307d18a3285965f1ddfaf2770f982e9400ce0
Instruction ID: df4d885af0b8fd110120e3fe395deda5d78fc5b2b1355a8f6464e550e470f045
Opcode Fuzzy Hash: 5e6128f1d2a20627cfdafed8658307d18a3285965f1ddfaf2770f982e9400ce0
Instruction Fuzzy Hash: D5D0A771550150EBC75CC754DC11D363353ABC1705F18502CF10152273D9709503CB90

Function 006319B2 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?), ref: 006319C9

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d6a2b0fbd7c9f67fb4f57a7dfd96c7a0a472ffc7d157e61ef50414e94108d367
Instruction ID: 0a1e377079db986af7b3df4a34c2d56964c173e0c0c95c39a55c1f3e6be820fa
Opcode Fuzzy Hash: d6a2b0fbd7c9f67fb4f57a7dfd96c7a0a472ffc7d157e61ef50414e94108d367
Instruction Fuzzy Hash: 5FD023348A40C09FC7009B5CEC11825BFA3BF46301F04143CFC91C2331D53946209F50

Function 0060A560 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88592cb06c760dfcff95fe665e1ba1fd49b44f45c6a4fb54bbe380f1e98ebec4
Instruction ID: 64b19b1bd50cd3aafb094f8cbb6e9672eb5d215b663dfafeb8007fe3ffb4711c
Opcode Fuzzy Hash: 88592cb06c760dfcff95fe665e1ba1fd49b44f45c6a4fb54bbe380f1e98ebec4
Instruction Fuzzy Hash: 085126B98242019BD7145F60FC5266A7BE3FB57314F98503CF64893322F3354A54CB96

Function 00631E75 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U)X/, xrefs: 00631A6B
U)X/, xrefs: 00631EC5
V98?, xrefs: 00631EE5
V98?, xrefs: 00631A8B
C%R+, xrefs: 00631F38
R5X;, xrefs: 00631A83
R5X;, xrefs: 00631EDD
C%R+, xrefs: 00631AD8

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: C%R+$C%R+$R5X;$R5X;$U)X/$U)X/$V98?$V98?
API String ID: 0-17140411
Opcode ID: 8d4d967bf14a8a6a4800756bddd6f753bf4badcfd773d0da8bb5b3ed22defe49
Instruction ID: cb78ac98e16e30bc1b461800dd190da5a26ac027dd9873fc2d363d2c78886248
Opcode Fuzzy Hash: 8d4d967bf14a8a6a4800756bddd6f753bf4badcfd773d0da8bb5b3ed22defe49
Instruction Fuzzy Hash: 6041AAB4509342AFD704CF10DAA171BBFE2EB86704F54991CF8891B351E3398A46CBC2

Function 00631A16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00631B0A

Strings

U)X/, xrefs: 00631A6B
V98?, xrefs: 00631A8B
R5X;, xrefs: 00631A83
C%R+, xrefs: 00631AD8

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: C%R+$R5X;$U)X/$V98?
API String ID: 1029625771-2675831890
Opcode ID: 7e1f093b1258a1d4625575cb9e445359bd7850217d94d700750bc0a7c49454fe
Instruction ID: 21d49ba6e1842044efebce921a8c8b95efabcb3c99c5542c14f9f632eaaa6148
Opcode Fuzzy Hash: 7e1f093b1258a1d4625575cb9e445359bd7850217d94d700750bc0a7c49454fe
Instruction Fuzzy Hash: 7B21AE745083419FD308CF10DAA171ABFE3EB86745F54991CF4891B311D3398A46DB86

Function 00631B55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00631C20

Strings

uw, xrefs: 00631B82
pq, xrefs: 00631B8A

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: pq$uw
API String ID: 1029625771-2542560687
Opcode ID: 08e07f7c868e8174670ff10bd41753d449ef049f58af1c8af363ca67ae48c88b
Instruction ID: f138e055fbae51507d38ec6acbdd90bbdaecd37603b4306a86dcd0acf74c15a2
Opcode Fuzzy Hash: 08e07f7c868e8174670ff10bd41753d449ef049f58af1c8af363ca67ae48c88b
Instruction Fuzzy Hash: 482144752483019BD318CF50D5A032BBBE2EFC6748F545E1DE89A9B290D734D949CBCA

Function 006090A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0060914C

Strings

eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance, xrefs: 00609105

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: ExitProcess
String ID: eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance
API String ID: 621844428-3721107060
Opcode ID: dc4e7e4122c572c0e034f5ed893ac10247d1224b7d2459a7bf2109b635718505
Instruction ID: c39ab37cf0eeb64cd8810834921ca7a39cf5eca943bf519c3f6bf67a11db5275
Opcode Fuzzy Hash: dc4e7e4122c572c0e034f5ed893ac10247d1224b7d2459a7bf2109b635718505
Instruction Fuzzy Hash: 3711A1B098C202DAD7487B74990E27B3AB79B55350F21856EF982432C3EA30441796F7

Function 0062F857 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,?,00000000), ref: 0062F861

Strings

\Df, xrefs: 0062F863

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID: \Df
API String ID: 3298025750-2854437034
Opcode ID: 6d6f4c2eb130e60f79bd51c9da6a7402574b914ceb3e70b29ac93c4fa0f44586
Instruction ID: 5c9995c21427965a52d9b528520f5df8c099036bda200e77499ae1c7d03a55db
Opcode Fuzzy Hash: 6d6f4c2eb130e60f79bd51c9da6a7402574b914ceb3e70b29ac93c4fa0f44586
Instruction Fuzzy Hash: 04C08C302810547AD3248715CCCAF3B2AA9DF8BAA9F201028B606CA2C0CA04A80188EA

Function 0063152A Relevance: 1.6, APIs: 1, Instructions: 93
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00631694

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cc2ecdfaf76dd7f3c874fd4af6963ea7bdf3c9a1afef0191cf96e60f1f0b6929
Instruction ID: 661758c1e6b64b42456c1ea3e629d8a988c2f1baeca52269173a6eb87a88f872
Opcode Fuzzy Hash: cc2ecdfaf76dd7f3c874fd4af6963ea7bdf3c9a1afef0191cf96e60f1f0b6929
Instruction Fuzzy Hash: 9541E2B41083419BD708CF10C9A472FBBE2EFC6718F559A1CE4991B785C374D94ADB86

Function 006322B5 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 0063231C

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1d26c43c6747fe7ae8470f502dac902249dc148a7dc2ea01a645f8e9e08ecf06
Instruction ID: 48e9ec966b472580adbf3b99870c12b1b1f64810b6dabe939c6773efdfee246e
Opcode Fuzzy Hash: 1d26c43c6747fe7ae8470f502dac902249dc148a7dc2ea01a645f8e9e08ecf06
Instruction Fuzzy Hash: E711E33AA00125CFC718CF68EC61A9AB3F2BB89714F65122DE912E7390C7349C41CB80

Function 00632A7F Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 00632ADE

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71baa6a3ce43802c2b5de48e2da8399d6f57fcd33a0ca45414c0df91b99b2a1b
Instruction ID: 6a587ea5df4e020a0255fbf0b788083152dfdf78bc1c9d1859f9be69caf0adce
Opcode Fuzzy Hash: 71baa6a3ce43802c2b5de48e2da8399d6f57fcd33a0ca45414c0df91b99b2a1b
Instruction Fuzzy Hash: F9118C76E00219DFDB08CFA9E89169EBBF2BB88314F61512AE915F3250C7349D45CB80

Function 0062F750 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0062F79F

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d1b0fb02b4f91af7a02270547c3f80147403fa4dc416c9f8736640291eaf655c
Instruction ID: 31819836698a97f695dc1e6ab50ad8f3ce40134b6047d0e31229d4a251a573f5
Opcode Fuzzy Hash: d1b0fb02b4f91af7a02270547c3f80147403fa4dc416c9f8736640291eaf655c
Instruction Fuzzy Hash: 8CF0A072B542104FD304DB29ED1679A77E2ABD4B00F41C83CF484DB258D6389C9ACB8A

Function 00632B50 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00609140), ref: 00632B68

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a2dd0c5cb8c276c31c1b5d8fa068f5230dd93619c513f8db344c6812f151c897
Instruction ID: e9f56d937f135fa160100e705fa4db9a12dbeff26019cf31fcf808edd95a526c
Opcode Fuzzy Hash: a2dd0c5cb8c276c31c1b5d8fa068f5230dd93619c513f8db344c6812f151c897
Instruction Fuzzy Hash: D5D0927D910252EBDF016F61FC6A8053B3BBB07306790A460F10282B30DA23CA20DB00

Non-executed Functions

Function 00628090 Relevance: 38.7, APIs: 4, Strings: 18, Instructions: 210COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32 ref: 006280F2
GetDeviceCaps.GDI32 ref: 0062810D
SelectObject.GDI32 ref: 00628159
SelectObject.GDI32 ref: 006281CE

Strings

$%h, xrefs: 006282B3
$%h, xrefs: 006282DF
$%h, xrefs: 0062832C
$%h, xrefs: 0062829D
$%h, xrefs: 0062838F
$%h, xrefs: 00628321
$%h, xrefs: 006283F2
$%h, xrefs: 0062834D
w%h, xrefs: 006283C6
$%h, xrefs: 006283FD
$%h, xrefs: 006282EA
$%h, xrefs: 006283BB
$%h, xrefs: 00628316
$%h, xrefs: 006282D4
, xrefs: 0062818A
$%h, xrefs: 006282A8
$%h, xrefs: 006283E7
A(h, xrefs: 0062830B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: CapsDeviceObjectSelect
String ID: $$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$$%h$A(h$w%h
API String ID: 4288853314-2799798630
Opcode ID: 69b7f8b1c56d02ba1c6efe3dd1e7c199fcf3eaaf6c37c2a6575de1f08f469e35
Instruction ID: eb996a3375e73486294fb9d46db9922f1553b1f5c369317154591805335c1365
Opcode Fuzzy Hash: 69b7f8b1c56d02ba1c6efe3dd1e7c199fcf3eaaf6c37c2a6575de1f08f469e35
Instruction Fuzzy Hash: 4AD14AB45183808FD3B4DF14E58879ABFE2BBC9304F50991DE4999B394CB725448CFA6

Function 00609C20 Relevance: 15.4, Strings: 12, Instructions: 435COMMON

Download Yara Rule

Strings

S-M/, xrefs: 0060A1B5
C\CP, xrefs: 00609F20
tFsw, xrefs: 00609D68
Y!G#, xrefs: 0060A1C0
U~c, xrefs: 00609E49
X)N+, xrefs: 0060A1AA
SDA^, xrefs: 00609F28
ZW, xrefs: 0060A282
V%T', xrefs: 0060A1CB
01, xrefs: 0060A1EC
!=$?, xrefs: 0060A1E1
0, xrefs: 00609C7D

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !=$?$0$01$C\CP$S-M/$SDA^$U~c$V%T'$X)N+$Y!G#$ZW$tFsw
API String ID: 0-2350437357
Opcode ID: e0d038640e474041bbf4d11c9ae111246ab6c833e1697e4672bb7f740da4b9a3
Instruction ID: 317d7c966f20ccd946a373fc35455c27d3cb0f3a63c7c96b400da4828bd5d914
Opcode Fuzzy Hash: e0d038640e474041bbf4d11c9ae111246ab6c833e1697e4672bb7f740da4b9a3
Instruction Fuzzy Hash: D002F3B05083828BE728CF15C494B5FBBE2BBC2348F544D1DE5D58B292D779D909CB92

Function 0062513A Relevance: 14.9, APIs: 4, Strings: 4, Instructions: 903nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00625847
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0062587D

Strings

qFvs, xrefs: 00625BC4
eL"M, xrefs: 00625BCB
}Nmk, xrefs: 00625BD2
QQch, xrefs: 00625BD9

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: QQch$eL"M$qFvs$}Nmk
API String ID: 292159236-392577269
Opcode ID: c6de899971679880e22c845d2c0cdd83736ba4334d17995b1b9827bf08205301
Instruction ID: 88c3237f61848f0b6aa7f20de753134bbed52ca5b0d271e2db35edaf7c7c8ae4
Opcode Fuzzy Hash: c6de899971679880e22c845d2c0cdd83736ba4334d17995b1b9827bf08205301
Instruction Fuzzy Hash: 98628970204B528FD334CF29D490762FBF2BF5A314F288A5DD4968BB91D779A846CB90

Function 006300A0 Relevance: 13.9, APIs: 9, Instructions: 433nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00100000,00003000,00000004), ref: 006300F1
NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,?,00003000,00000040), ref: 00630246
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 00630290
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 006302E7
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000004), ref: 00630310
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0063068E

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1ba80b6f886b7edd9cb15a414dd59fc3fd38dcf8c05988a4607e90b30fc54703
Instruction ID: 8dbb284b809b6fa0d53365d94ca32ae1c33c906227c1a7c88a3fd7787751f3a6
Opcode Fuzzy Hash: 1ba80b6f886b7edd9cb15a414dd59fc3fd38dcf8c05988a4607e90b30fc54703
Instruction Fuzzy Hash: 0CF189756083519FE720CF14C860B5BBBE6BBC9314F148A2DF6A48B392D7719948CB92

Function 0061B6E2 Relevance: 11.1, APIs: 7, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e445aaa76ce2daf3fbcabba4708f38e83fe1713d57235db9b90bd65036e1f4ff
Instruction ID: f220ba30527961ef76d01ed75a1b2ef804c6ac212b680c8cfff1393ac98d40be
Opcode Fuzzy Hash: e445aaa76ce2daf3fbcabba4708f38e83fe1713d57235db9b90bd65036e1f4ff
Instruction Fuzzy Hash: C432E135608251CFC715CF28D890BAABBE2FF8A314F4C95ADE58597392C734E885CB91

Function 0061F212 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 576nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061F497
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0061F4CD
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061F613
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0061F64B

Strings

[tDJ, xrefs: 0061F7FD
kNDW, xrefs: 0061F7F3

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: [tDJ$kNDW
API String ID: 292159236-3823844181
Opcode ID: aa86ee53b23fa7b16b6874174c421ce92c770cbdc72ffc2d8bbd7d4c20e56c22
Instruction ID: b2f2662699673f0ea1fe3b3967017a36fdbb1f45286d09fed0f1b40aed4017cc
Opcode Fuzzy Hash: aa86ee53b23fa7b16b6874174c421ce92c770cbdc72ffc2d8bbd7d4c20e56c22
Instruction Fuzzy Hash: 0F125771610B018FE324CF25D880BA3B7F6BB45310F589A2DE59A87BA1D734F845CB90

Function 0061BF40 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0061C064
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0061C08F

Strings

+Y;[, xrefs: 0061C0A5
!]!_, xrefs: 0061C09D
#U+W, xrefs: 0061C0AD
#r8, xrefs: 0061C22E

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: !]!_$#U+W$#r8$+Y;[
API String ID: 237503144-3298446581
Opcode ID: 234ae0c54e0396c62886ef856f1acd9e2d2bea0b5d585fb7d76081b9ffdff690
Instruction ID: d01787bcec5155129118fe59c35e4b3e88a5d4e0009d7286c0fb74b77bced5a7
Opcode Fuzzy Hash: 234ae0c54e0396c62886ef856f1acd9e2d2bea0b5d585fb7d76081b9ffdff690
Instruction Fuzzy Hash: 93719B70148341DBE3248F14C8A2BABB7F2EF86764F04190DF8919B391E3B89945CB97

Function 0061F930 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 345nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0061F9D1
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0061FA0D
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0061FAC9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0061FB05

Strings

c'nc, xrefs: 0061FD15

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: c'nc
API String ID: 292159236-437297503
Opcode ID: d55b973c2af3d63f850113dba9135cd43e660a06b3f9a55daadede0196b778f7
Instruction ID: dcf66bf1320d3b1dfcb708e4fc608b0491f07e610a3a4f6970a1c510c30a7802
Opcode Fuzzy Hash: d55b973c2af3d63f850113dba9135cd43e660a06b3f9a55daadede0196b778f7
Instruction Fuzzy Hash: A8C1CEB16083528FD700CF18C8907ABBBE2EF89754F184A2CF9D99B391D7749944CB96

Function 00634B90 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00634C34
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00634C7B
NtAllocateVirtualMemory.NTDLL(000000FF,000000B8,00000000,0000BA00,00003000,00000040), ref: 00634D3B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00634D87

Strings

R-,T, xrefs: 00634CC0

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: R-,T
API String ID: 292159236-635581381
Opcode ID: f3e25b5babf02615dcf75ee1c7894b9f14c09241fccd87863f5e7a6a4fda397c
Instruction ID: c6da406614d3f479cf4c3152e7237d7ff142e565772f682cd4ce46e035328a0f
Opcode Fuzzy Hash: f3e25b5babf02615dcf75ee1c7894b9f14c09241fccd87863f5e7a6a4fda397c
Instruction Fuzzy Hash: ADC1D0352083529FC714CF18C890A6AFBE2BFC9314F18865CF9958B3A1DB75E845CB92

Function 00616EA2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00616F14
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00616F44

Strings

|[f, xrefs: 00616F6F, 0061701A

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: |[f
API String ID: 292159236-1597245652
Opcode ID: 658ce9e0872f43268e9388783d582e527e3b6dd405f7e4e188a799084a4aa1d4
Instruction ID: edcb79c3aeb1dc958bee0318141dfd1cdaf91571988c08e5a149164e5f446d52
Opcode Fuzzy Hash: 658ce9e0872f43268e9388783d582e527e3b6dd405f7e4e188a799084a4aa1d4
Instruction Fuzzy Hash: 02413678210B059FD320CF11D854B96BBFAFB09714F149A1CE6AACBBA0D774E449CB94

Function 0062F880 Relevance: 7.7, APIs: 5, Instructions: 200memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0062F925
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0062F963
RtlAllocateHeap.NTDLL(?,00000000,00000000), ref: 0062F9C1
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0062FA5F
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 0062FA9B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$Allocate$Free$Heap
String ID:
API String ID: 996896184-0
Opcode ID: 18eccdb34a943fc2374cdbbb89153195ec98d9e7e9f1c490b15716ed0723cea5
Instruction ID: c1ecb0f61d83bf15472b8ecd8ccd403840b33038a19e85fdab5a7bece7341ad6
Opcode Fuzzy Hash: 18eccdb34a943fc2374cdbbb89153195ec98d9e7e9f1c490b15716ed0723cea5
Instruction Fuzzy Hash: 826199712087119FE310CF19D854B5BBBE6FB89724F248A2CF5A88B3A0D774D844CB96

Function 0061B06E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

FE33, xrefs: 0061B14E
IMB@, xrefs: 0061B146

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: FE33$IMB@
API String ID: 0-789939345
Opcode ID: aa9710a0d1830737004c89c75b3a96614d752d1df49932d4902b3bdbf9979ee4
Instruction ID: 2e16266e07d2ea3759d63017330153af00c6ac4b8ab5fdac224232cdded4f3b1
Opcode Fuzzy Hash: aa9710a0d1830737004c89c75b3a96614d752d1df49932d4902b3bdbf9979ee4
Instruction Fuzzy Hash: 1C7156B02083819FE364CF24C890BAFBBE2FB85314F54591DF5998B391C774994ACB92

Function 00621B6B Relevance: 6.7, APIs: 4, Instructions: 677COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,7FCC7DCA,00000009,00000000,00000000,?), ref: 00621CA3
RtlExpandEnvironmentStrings.NTDLL(00000000,7FCC7DCA,00000009,00000000,?,?), ref: 00621CD2
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,00000000,?), ref: 006220F3
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,?,?), ref: 0062211F

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: fef4eebeffff1ce98b4bb5d2181a78a7bf57376c6bd3ea27a9cf5a26d69f01ba
Instruction ID: 50bbe2cae7010b6edd995fb2ca487f3aef09507fa7d48a253caea7cd218f6f8d
Opcode Fuzzy Hash: fef4eebeffff1ce98b4bb5d2181a78a7bf57376c6bd3ea27a9cf5a26d69f01ba
Instruction Fuzzy Hash: 384247B4500A019FE324CF29C9A5B22BBF2FF5A314F244A4CE8D58B795D335A846CBD5

Function 00622C15 Relevance: 6.5, Strings: 4, Instructions: 1457COMMON

Download Yara Rule

Strings

3, xrefs: 0062367F
%'te, xrefs: 00623525
JJ;@, xrefs: 00623C01
?, xrefs: 006237CA

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %'te$JJ;@$3$?
API String ID: 0-1321762328
Opcode ID: f0f4efba0fefc7e385a4a8dfdaa1bb004e99f0ea735d517e5a92e3a94a4f1800
Instruction ID: f55dcbb449288b8c9d1bc6a7619b963a815d1315329149d5a1eeaf38b39b7039
Opcode Fuzzy Hash: f0f4efba0fefc7e385a4a8dfdaa1bb004e99f0ea735d517e5a92e3a94a4f1800
Instruction Fuzzy Hash: FAB25F706046928FD729CF29D090762FBF2BF5A304F28859DD0D68F392C739A946CB94

Function 00622C0D Relevance: 6.4, Strings: 4, Instructions: 1357COMMON

Download Yara Rule

Strings

3, xrefs: 0062367F
%'te, xrefs: 00623525
JJ;@, xrefs: 00623C01
?, xrefs: 006237CA

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %'te$JJ;@$3$?
API String ID: 0-1321762328
Opcode ID: 93342fef70809fc482e12f17863f1ee62f4909328c8a18c85a868e3dee9b8f11
Instruction ID: 78fde827f14689a69476f3f03c272b6d73e9a746fa9f3283993f1968d941cc73
Opcode Fuzzy Hash: 93342fef70809fc482e12f17863f1ee62f4909328c8a18c85a868e3dee9b8f11
Instruction Fuzzy Hash: 0FB24F706056928FD725CF28D090B52FBF2BF5A304F28859DD4D68F392C739A986CB94

Function 00634820 Relevance: 6.3, APIs: 4, Instructions: 271nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006348C4
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00634909
NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 006349C6
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 00634A0B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 500f45f36e6e292954c0dbc1b7a658a2792ded3bd5f3c31dab15ffb8c71f1859
Instruction ID: a910ffd76393bffdbf8e5251d4044652cc0c9dde2a3628a8479edf7d5ec10d5d
Opcode Fuzzy Hash: 500f45f36e6e292954c0dbc1b7a658a2792ded3bd5f3c31dab15ffb8c71f1859
Instruction Fuzzy Hash: 9BA143742083069FD310CF18C890B6AFBE6FF89754F148A1CE9958B3A0DB75E844CB96

Function 00634F90 Relevance: 6.3, APIs: 4, Instructions: 267nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0063506F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006350B5

Part of subcall function 0062F750: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0062F79F

NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 00635179
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 006351C2

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$Allocate$Free$Heap
String ID:
API String ID: 996896184-0
Opcode ID: 57876e76d9992f69b6b2a04d83cb76f833686121c7ce9960c8429d3167a73335
Instruction ID: 2f607796f6dcd4d9f002a984866e5a66a599f1be44ddcff2e138bfaeb6e6e814
Opcode Fuzzy Hash: 57876e76d9992f69b6b2a04d83cb76f833686121c7ce9960c8429d3167a73335
Instruction Fuzzy Hash: CD91ED342097519BC310CF19D840B6BBBE2EF86314F18866CF8AA87391D375EA45CB92

Function 00634530 Relevance: 6.2, APIs: 4, Instructions: 229nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006345D1
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00634619
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 006346D5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0063471F

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: b5277b40b22fa0ae026bb2d04a6b3f2536942d377a199e8d8dac3b576e478728
Instruction ID: cb528741bab482e62a99820f1e9f0199c7c327cd063930ee865bcb435e830739
Opcode Fuzzy Hash: b5277b40b22fa0ae026bb2d04a6b3f2536942d377a199e8d8dac3b576e478728
Instruction Fuzzy Hash: BA818E746083069FD710CF18C880B6AB7E6FF89764F14862CF9949B3A0DB74E904CB96

Function 0062FD90 Relevance: 6.1, APIs: 4, Instructions: 147nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0062FE51
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000000,00008000), ref: 0062FE8F
NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 0062FF2F
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 0062FF63

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: b616a2feeb6ce4f263b1187941ba03ad36e055564fb6931687643fa88c85a189
Instruction ID: aaf9ebba787e8baea5fa9d702929272ca5388575f42906061b177f0716860ed7
Opcode Fuzzy Hash: b616a2feeb6ce4f263b1187941ba03ad36e055564fb6931687643fa88c85a189
Instruction Fuzzy Hash: 73516575208702AFE310CF05D848B1ABBF9FB86754F64892CF5A58B3E0D7749848CB92

Function 00617B38 Relevance: 6.1, APIs: 4, Instructions: 122nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00617BB8
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00617BEB

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: dd1dbfd5f2048d55015ab29a9227474e2404daa5329df8c2cc77052c4fd84810
Instruction ID: f1c70ab1158869490af51a38a0fe4ce4cc0adb8419c60452dba9d205d5ffd30a
Opcode Fuzzy Hash: dd1dbfd5f2048d55015ab29a9227474e2404daa5329df8c2cc77052c4fd84810
Instruction Fuzzy Hash: 2D413374214B01DFE324CF15D854B52B7F9EB09704F289A1CE2AB8BAA0D770E488CB94

Function 0061AAF0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 338nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0061AE41
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0061AE75

Strings

de, xrefs: 0061AB16

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: de
API String ID: 292159236-2106599819
Opcode ID: ba0b36e18ed95a50e23f9e2b19d1575858cc5cf81abeba352267733cf82ef010
Instruction ID: 344cf19b0ff351b603e2c21a7597086e36bd6c1f95c71306deb172a6201295a7
Opcode Fuzzy Hash: ba0b36e18ed95a50e23f9e2b19d1575858cc5cf81abeba352267733cf82ef010
Instruction Fuzzy Hash: E291BCB19093019BD710DF54D892BABB3E6EF95324F48492CF9918B391E334D984CBA7

Function 00604820 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

IHDR, xrefs: 00604C77
IDAT, xrefs: 00604CE4
IEND, xrefs: 00604D5F
), xrefs: 006048B8

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 46285ef74dce662ea60a1b86fee8c28b5c70a52d1999995a5edf80c7586bdec1
Instruction ID: c333963035bb2a8876cd106452209b98b5e476c64615c62f317a1fe9fb2176cb
Opcode Fuzzy Hash: 46285ef74dce662ea60a1b86fee8c28b5c70a52d1999995a5edf80c7586bdec1
Instruction Fuzzy Hash: D71201B1A443449FD728CF28D85076B7BE2EB85310F05856CFA858B3D2DB79D909CB92

Function 00617E5F Relevance: 5.5, Strings: 4, Instructions: 501COMMON

Download Yara Rule

Strings

SW, xrefs: 0061830A
azd, xrefs: 00618255
ihW, xrefs: 00617EE0
pq, xrefs: 00618418

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: SW$azd$pq$ihW
API String ID: 0-4235544063
Opcode ID: d7a320545b346f7ff450fb431a73c0e07c373eccd697cffbe4ed6c27bdaebe40
Instruction ID: ed9352049750c9fdef9eb36e0a2f02f18850490350500309682352100f44d385
Opcode Fuzzy Hash: d7a320545b346f7ff450fb431a73c0e07c373eccd697cffbe4ed6c27bdaebe40
Instruction Fuzzy Hash: 6F120FB45093819BE704DF11D4A0B9FBBF2BBC6708F18891CE4D54B395C73A8949CB8A

Function 0061C4BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061C74F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0061C797

Strings

ba, xrefs: 0061C8C6

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ba
API String ID: 292159236-749160980
Opcode ID: 3f64675731240c1182b50c954fc39e170d2fa5b09bfdb2095fd776c158185486
Instruction ID: 33ce62b71b74b518db3ff6d23cedfabf637d858d6faefe69d8d29ad8b4c90603
Opcode Fuzzy Hash: 3f64675731240c1182b50c954fc39e170d2fa5b09bfdb2095fd776c158185486
Instruction Fuzzy Hash: 206112B01083829FD764CF05C895B9BBBE6BBC5318F588D1CE1E98B291CB759509CF92

Function 006343C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006344E3
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0063451F

Strings

@, xrefs: 00634430

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: 6dc7bef4bcf14d0e49738cb579c9fd5ed568b92df57bbf88dae5e666849fa056
Instruction ID: 9b322cf0513c1d84e01fe65e1b54297bf302077edca95a5b572227809787bead
Opcode Fuzzy Hash: 6dc7bef4bcf14d0e49738cb579c9fd5ed568b92df57bbf88dae5e666849fa056
Instruction Fuzzy Hash: 623147B15093059BD310CF15C884B5BFBE9FF89368F149A1CF9A497390D774E9088B96

Function 0061A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0061A98F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0061A9DF

Strings

,, xrefs: 0061A964

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: 476083704146e9e70db321ffae87a488ade72dd658579aa027ad1f9bfa066683
Instruction ID: 1b7bb400e4fb83c501587475e2b6342cdd7935f449c2de872e162f0a2bd09c1c
Opcode Fuzzy Hash: 476083704146e9e70db321ffae87a488ade72dd658579aa027ad1f9bfa066683
Instruction Fuzzy Hash: 5C215975219305AFE310CF56CC44B6BBBEAFB89764F28891CF69487390D3719844CB92

Function 006342B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00634362
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006343AA

Strings

$, xrefs: 00634337

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 247a2e4c8043c537f478a5a6e1c7d1913d0ab2790f6c6701061620f380600359
Instruction ID: e531c31a612d3cf2d8288d1a286e6dc8aa8d6cbabb3d4c4ace83cc3031e575b8
Opcode Fuzzy Hash: 247a2e4c8043c537f478a5a6e1c7d1913d0ab2790f6c6701061620f380600359
Instruction Fuzzy Hash: 1B318C74209305AFE310DF15DC80B1BBBE9EB86754F24491CFA94AB3D0D771E9048B96

Function 006163BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00616454
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00616485

Strings

d, xrefs: 0061648B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: d
API String ID: 292159236-457199504
Opcode ID: f67916b5541c661c9374bcfcfc7c7ca402be7ea2ce2229f4c9d2b592cd9307e5
Instruction ID: 00924956ee2156fc1893321aa819fd4a1ab1684320d047cf2513bf5aac981103
Opcode Fuzzy Hash: f67916b5541c661c9374bcfcfc7c7ca402be7ea2ce2229f4c9d2b592cd9307e5
Instruction Fuzzy Hash: A9218CB41093029FE300CF05D844B5ABBE9FB89318F58990CF1A5973E1C774E949CB9A

Function 006019D4 Relevance: 3.9, Strings: 3, Instructions: 139COMMON

Download Yara Rule

Strings

[, xrefs: 00601A09
], xrefs: 00601AF6
,, xrefs: 00601AA5

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,$[$]
API String ID: 0-1771569359
Opcode ID: bd5d645b485374a9fb4a6597f676d56e19cf4d97aef748feaa7ba6c184002943
Instruction ID: 242e87ae3ff7db0ab796411be3788286ed6c96981dbaea2c33ce2f52e973c057
Opcode Fuzzy Hash: bd5d645b485374a9fb4a6597f676d56e19cf4d97aef748feaa7ba6c184002943
Instruction Fuzzy Hash: 9541D5B4A843059BE7685F259890277B7E7AF42345F28853CE8C64B3C3EB35DA018B55

Function 00612823 Relevance: 3.5, APIs: 2, Instructions: 492COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00612DAE
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,?,?,?), ref: 00612DF9

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 03686183ace7f11b48f0ef8a9b5b4f4f7e38bea53396d9072d0741ff3f88bf0d
Instruction ID: 3df16b285eef428f9c1bc1193351a5d502d1a7ff60c484795c184d04393aef41
Opcode Fuzzy Hash: 03686183ace7f11b48f0ef8a9b5b4f4f7e38bea53396d9072d0741ff3f88bf0d
Instruction Fuzzy Hash: 23124A71504B418FE325CF24C8A5BE7B7E2BF89304F18492CD4AA8B292D77AB455CB84

Function 00605450 Relevance: 3.4, Strings: 2, Instructions: 882COMMON

Download Yara Rule

Strings

0, xrefs: 00605E5E
8, xrefs: 00605E56

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: ad90bd609701dc9d73790fa96c6ec2d2fbdd86de12ad4f7f796a05866d25d3fc
Instruction ID: 10e7114f60faea1b7c4e0297295d72d4afbc21e8c413d69597a0254951bceaa1
Opcode Fuzzy Hash: ad90bd609701dc9d73790fa96c6ec2d2fbdd86de12ad4f7f796a05866d25d3fc
Instruction Fuzzy Hash: AF8257716487409FD728CF18C88479BBBE2AF88314F18892DF98A8B391D775D945CF92

Function 00624EE6 Relevance: 3.2, APIs: 2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efec8ffe4bc77097067bb20c207ba6efbfe5a1a7aa74ecb458d94a5bb8173620
Instruction ID: 2583016d5a55d750898415ab5cb29636c29339b08e285921448ff25cdf7555b8
Opcode Fuzzy Hash: efec8ffe4bc77097067bb20c207ba6efbfe5a1a7aa74ecb458d94a5bb8173620
Instruction Fuzzy Hash: 81416D74100B419FD360CF19D9A0B62BBE2FF8A714F645A0CE5E68B790D775A805CFA1

Function 0061C3B8 Relevance: 3.1, APIs: 2, Instructions: 134nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061C564
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0061C5A6

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 0a18ec845bbc6fa0eba78a3122ab136ce153ffa9f3bd2f3672f822a16379b50c
Instruction ID: 388e1cd4c57e226b552efe4b831d4ee00a993662317188fed8334ab75df8df59
Opcode Fuzzy Hash: 0a18ec845bbc6fa0eba78a3122ab136ce153ffa9f3bd2f3672f822a16379b50c
Instruction Fuzzy Hash: 8C51F0B41193819FE324CF05D890BAEBBE6BB85314F189A1CE1968B390D774D549CBA2

Function 0062FB40 Relevance: 3.1, APIs: 2, Instructions: 106nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0062FC4F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0062FC8C

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 9b24bb6f962d526327a36b67adc1f3ea6bdd9992fddeba7a5dba62ab966f7a79
Instruction ID: 10d5e49fe48fed5d29b68f1d94a0f6c37c07f8378dfcbe95de528d82095cf7ac
Opcode Fuzzy Hash: 9b24bb6f962d526327a36b67adc1f3ea6bdd9992fddeba7a5dba62ab966f7a79
Instruction Fuzzy Hash: 7F313AB01083069FE300DF15D854B5BBBEAFB85758F148A2CF4A48B3D0D7B59949CB96

Function 006215A3 Relevance: 3.1, APIs: 2, Instructions: 91nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00621944
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0062197B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 5ad9de3c7cacfdcf2941343b611e53b7ed0821efd5416184d3b4e04ed64dd975
Instruction ID: e5a0ef8138a733ba9e87c3b31949cd95e34d010968339afe61826bc5c9e459e0
Opcode Fuzzy Hash: 5ad9de3c7cacfdcf2941343b611e53b7ed0821efd5416184d3b4e04ed64dd975
Instruction Fuzzy Hash: FA313974211B018FE324CF29D890B66B7EAFF4A700F18990CE5A2877A0D770F404CB54

Function 0062DC00 Relevance: 3.1, APIs: 2, Instructions: 86nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0062DCAF
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0062DCF1

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 139414ba00f7a1075337f364db1182dc1b8c4ef1dcefaf7d5a9a713b9628bc14
Instruction ID: d209cec6c86e5e055dd5f98afc6084b204a1a83f590fce3fe10b7126acf38702
Opcode Fuzzy Hash: 139414ba00f7a1075337f364db1182dc1b8c4ef1dcefaf7d5a9a713b9628bc14
Instruction Fuzzy Hash: AA216974208315AFD300CF05DC94B5BBBE9EB8A364F64891DFAA487390D3719844CBA2

Function 00619B1C Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00619BC7
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00619BF6

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 6742484649fe4e2473eeb4076e6a4d01f33cfd12e4bf03f9462479739000eaf7
Instruction ID: 025cecdb568748e888120da1d234880df514c3d0791bf17d6743a3f90d50fa59
Opcode Fuzzy Hash: 6742484649fe4e2473eeb4076e6a4d01f33cfd12e4bf03f9462479739000eaf7
Instruction Fuzzy Hash: 6131787591020ADFDB04CFA8D894BEEBBB5EB09314F281118E611F73A0D770A944CBA4

Function 0061E3B0 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061E44E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0061E488

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a6a52c7af1a9a3a4d19aef4d2b160edb18c4962dba3c14f570c2e36f493becd7
Instruction ID: 1443aa261c4fe775f61106a3b9fe3de396d1284631af94e9b134f0f5d54310cd
Opcode Fuzzy Hash: a6a52c7af1a9a3a4d19aef4d2b160edb18c4962dba3c14f570c2e36f493becd7
Instruction Fuzzy Hash: AB2123B4200B418FD320CF25C984B92B7E5FB09318F64991CE6AB87BA0C7B0F849CB54

Function 00613B44 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00613C30
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00613C70

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: ce25edbffa7ecc0fe08b9b77b3a8ec937e27f202a6873a46d60c561117e1b1a9
Instruction ID: 02b5fce06d309dff781371d142ac32d9cf5d8ec846ba36054134db51bac05775
Opcode Fuzzy Hash: ce25edbffa7ecc0fe08b9b77b3a8ec937e27f202a6873a46d60c561117e1b1a9
Instruction Fuzzy Hash: 56316574201B118FE768CF29C890BA7B7F2EB49310F14591CE2AB87BA1DB35B441CB44

Function 0062FF90 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00630043
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00630082

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 27dd96084ff47a88b193e5c8b1563be690d2d0972404d99b08886dfe9f55b76b
Instruction ID: 25c1d7e03ab1060c9ba07cb2748079c79b752b5fca0c79244001cdd3642cf282
Opcode Fuzzy Hash: 27dd96084ff47a88b193e5c8b1563be690d2d0972404d99b08886dfe9f55b76b
Instruction Fuzzy Hash: 8F217C74208305AFD310DF05D894B5BBBE9EB8A764F148A2CFA9487390D371D848CBA2

Function 006171B9 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061742A
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00617459

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 48d66e5190a81c14f1e843af1ae940e30fb811443ba222c66e606d9cd6cf6611
Instruction ID: c0d8bbaa245140add5ee24927a1f2a2bf5477b46f5fe6567051bc190b90b13eb
Opcode Fuzzy Hash: 48d66e5190a81c14f1e843af1ae940e30fb811443ba222c66e606d9cd6cf6611
Instruction Fuzzy Hash: FB214375214B018FE324CF24D854B52B7E6EB09714F289A1CE2A6C7BA0D7B4A645CB90

Function 0061E4F2 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061E5BA
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0061E5F5

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 0f06f7a270231cbc9681a1541785dd01d513c052fa50e2af6e3472402923f6a8
Instruction ID: 55ddadecd0bc72baf8fd2129882deedf49a05a6fe1238f0e0fa34744b9cf0c6c
Opcode Fuzzy Hash: 0f06f7a270231cbc9681a1541785dd01d513c052fa50e2af6e3472402923f6a8
Instruction Fuzzy Hash: BC313575214B458FE324CF28D898BA3B7E6FB09304F58191CE2AB87790DB71B444CB61

Function 0061418B Relevance: 3.1, APIs: 2, Instructions: 75nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0061438D
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006143E6

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 2f628fc6e4876b06521d733cb30ea6de8806c142b70427b19b5f5597f3cfebd0
Instruction ID: 36000fc01fac9b525002216fb5e9b8e4c4c7028f1eef3d21558ed18a99168ee5
Opcode Fuzzy Hash: 2f628fc6e4876b06521d733cb30ea6de8806c142b70427b19b5f5597f3cfebd0
Instruction Fuzzy Hash: 94215A75251B029FD320CF24C855BA7B7E9FB0A320F181A1CE6AA877D0DB70B445CB55

Function 0062FCA0 Relevance: 3.1, APIs: 2, Instructions: 70nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0062FD41
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0062FD71

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 6ebb5820e48fcd6ebcc4fef9e57bce3c242de691ed5cfe5bd1722c9e63ae609c
Instruction ID: eba74085400e29ac0f956a85387075a081f3cfa98db870da863db75c1252745c
Opcode Fuzzy Hash: 6ebb5820e48fcd6ebcc4fef9e57bce3c242de691ed5cfe5bd1722c9e63ae609c
Instruction Fuzzy Hash: 51216AB4209706AFE310DF05E844B6BBBE9EF85754F14892CF5948B3A0D3759848CBA2

Function 006190C1 Relevance: 3.1, APIs: 2, Instructions: 69nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00619154
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0061918D

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: d51d86dc7da6bcd2326e9b86b0b53ca3d2ac534d6d8374cddcc7c855053d6d00
Instruction ID: 2b75b9172f3c972157e556f7111c2d88fabb2b23636249501fae596a6ef63e1e
Opcode Fuzzy Hash: d51d86dc7da6bcd2326e9b86b0b53ca3d2ac534d6d8374cddcc7c855053d6d00
Instruction Fuzzy Hash: 7A2149741083419FE304CF04C854BAAB7EAFB89318F185A1DF6A5973E0C7B4D945CB96

Function 00624FDC Relevance: 3.1, APIs: 2, Instructions: 55nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0062503A
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00625072

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 03ff0a8bd7b8eddd11fcd5b7a8423399c73735812b0fbeee74569e4470248b8e
Instruction ID: e007c10544e9de81f2bd66f6ee423dde4f86c01ace0a8b6b31876675c513833f
Opcode Fuzzy Hash: 03ff0a8bd7b8eddd11fcd5b7a8423399c73735812b0fbeee74569e4470248b8e
Instruction Fuzzy Hash: B2118B74154B059FE360CF24CC18B52BBE6FB06718F24990CE6A68BBD0D7B0B404CB50

Function 0061E960 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

]\_, xrefs: 0061EC50
Y[, xrefs: 0061EC48

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Y[$]\_
API String ID: 0-3803755346
Opcode ID: 1101922c18d238547f3775dafd49a3070d8ad6f1385fb3411ca4147beec849ba
Instruction ID: 06073173e9bdeffacb72a3646dc05d89e1f78a17dcfde66cd1cce531bedda365
Opcode Fuzzy Hash: 1101922c18d238547f3775dafd49a3070d8ad6f1385fb3411ca4147beec849ba
Instruction Fuzzy Hash: 789156B05083418BD724CF15C8917ABBBF1FF82754F188A1CE8928B391E379D949CB96

Function 00623DC0 Relevance: 1.9, Strings: 1, Instructions: 693COMMON

Download Yara Rule

Strings

khgn, xrefs: 006241D9

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: khgn
API String ID: 0-185697465
Opcode ID: cafff81340f68773c5ef21049ab799f2a034b12777284e0e50870a266c6c6b02
Instruction ID: 22ab16adda9c5868abb1b521cf5757cbf250399862c726ece51426faee8130f7
Opcode Fuzzy Hash: cafff81340f68773c5ef21049ab799f2a034b12777284e0e50870a266c6c6b02
Instruction Fuzzy Hash: EE326D74104A918FE725CF29D4A0B62BBF2EF5A304F28498CD4D64B396D735A846CFA0

Function 00601000 Relevance: 1.8, Strings: 1, Instructions: 583COMMON

Download Yara Rule

Strings

, xrefs: 00601206

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 84470806ec68453f9cfdf31f1764514ab28d27545a1494e454b8d88344104789
Instruction ID: 44b9d7722f2f37dc13a614e38d406ce0da851fe9cae2efa948506fede658af00
Opcode Fuzzy Hash: 84470806ec68453f9cfdf31f1764514ab28d27545a1494e454b8d88344104789
Instruction Fuzzy Hash: FB222871A487818BD32D8E28C4A03ABBBE3AB93310F18891DE5D64F3D2D3799D45C781

Function 0062520B Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

f_, xrefs: 0062571B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f_
API String ID: 0-2333948650
Opcode ID: 3d124801a3a77b83a1e02fdd0341811de16ecc28b30f90f12ad7104105ab12cd
Instruction ID: 541c87b236864bae74b3e966e050b26f889f6bb12c620e6e00dd9982d222dba0
Opcode Fuzzy Hash: 3d124801a3a77b83a1e02fdd0341811de16ecc28b30f90f12ad7104105ab12cd
Instruction Fuzzy Hash: E9E16AB0504A528FD739CF29C090762FBE2BF5A314F68865DD4D68B791C739A846CF90

Function 006252A9 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

f_, xrefs: 0062571B

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f_
API String ID: 0-2333948650
Opcode ID: eef3d88d9d87778db7b4652a7e3218610abab0b44b55217ac1b48f97550683ad
Instruction ID: 1d546201cf3cb9bfbc65da4ebf0b46848b957e0019df54e5328db3a513dd2d5e
Opcode Fuzzy Hash: eef3d88d9d87778db7b4652a7e3218610abab0b44b55217ac1b48f97550683ad
Instruction Fuzzy Hash: A9E19BB0504E528FD7398F29C090762FBE2BF5A314F68869DD4D68B791C339A846CF90

Function 0062466A Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

S@ZQ, xrefs: 00624A38

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: S@ZQ
API String ID: 0-3562939948
Opcode ID: a9b9664ca93ed26a51e298bfaff7bec50608ef400e4c8ced7535ef0347635690
Instruction ID: f667b1215317f0344710835a7425cc47a7fd3ddf8f5f35b2f3970e71924452c0
Opcode Fuzzy Hash: a9b9664ca93ed26a51e298bfaff7bec50608ef400e4c8ced7535ef0347635690
Instruction Fuzzy Hash: 54E17DB0104A928FE725CF29D0A0762FBF2BF56304F28869CC4D24B796C779A845CF95

Function 00624A1C Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

S@ZQ, xrefs: 00624A38

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: S@ZQ
API String ID: 0-3562939948
Opcode ID: 3c858184358981f4d85b155c6d302e4678ac12f895b90bc104af8f02a317dc07
Instruction ID: da74def9fbdaf2f72b0b8281e134d8bb9c99a8aeee408759c6de261b1852014e
Opcode Fuzzy Hash: 3c858184358981f4d85b155c6d302e4678ac12f895b90bc104af8f02a317dc07
Instruction Fuzzy Hash: 25D19EB01046928FE725CF29D0A0762FBE2BF56304F28869CC4D64F796C77AA805CF95

Function 006137F3 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000006,?,00000200,?), ref: 006138C4

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 13d3c85b4615bc4a59649b72879200e448e972e253e015db4bcf3ee3196ee2ca
Instruction ID: e540dd1a99ef4dfcbecf8c44f84741d775d04613072ff14dcf3375e567b3fd5c
Opcode Fuzzy Hash: 13d3c85b4615bc4a59649b72879200e448e972e253e015db4bcf3ee3196ee2ca
Instruction Fuzzy Hash: 3E315675200B118BD7288F20C891BE3B3F6EF4A321F08680DE5978B791E775B946CB50

Function 00619350 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

1iDk, xrefs: 00619402

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 1iDk
API String ID: 0-1621131942
Opcode ID: 40e3497affd5838ee2a64c9266babcdbb0824583537f37809c85260c3e6c1d03
Instruction ID: 97bef6cc4671f92d922ad1e9500c40478678027886131ac39a48d5554cf148fb
Opcode Fuzzy Hash: 40e3497affd5838ee2a64c9266babcdbb0824583537f37809c85260c3e6c1d03
Instruction Fuzzy Hash: EBC113B5100B019BD724CF26D491B96BBF2FB49314F088E5CD4EA8BA52D738F589CB94

Function 006067F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 00606943

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6453aa0199f8805114bbc91ebdd927ccc4af3d64524ec0081da15823b0fba469
Instruction ID: a1a784c98efd998fd2626a81fd7612aa3bb7f4843a4925029d6a807b3e0795bb
Opcode Fuzzy Hash: 6453aa0199f8805114bbc91ebdd927ccc4af3d64524ec0081da15823b0fba469
Instruction Fuzzy Hash: A4B13A71549381AFD314CF68C84465BFBE1AFA9304F448A5DF4D897382D371EA28CBA6

Function 00611CFA Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

&ib, xrefs: 00611E7A

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: &ib
API String ID: 0-3556914138
Opcode ID: c584a9ef9b196f35301d63f03c023c3a244fca80412bf7eef0aff40b772dfdb8
Instruction ID: 8b91b93cc46d5eea7b96a1fdeb5dc19676fb0dd0713916144c400f0e9ee75e5c
Opcode Fuzzy Hash: c584a9ef9b196f35301d63f03c023c3a244fca80412bf7eef0aff40b772dfdb8
Instruction Fuzzy Hash: B55136B0900B418FD726CF24D490BA3B7E6BF46314F188A1DD4AA8B651E734A889CB90

Function 00616266 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

mn2, xrefs: 00616379

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: mn2
API String ID: 0-3593888445
Opcode ID: 2f6feb7bbba6d9a36e0d194ad22fa1ca21480b95abaa030f12a0b4cd2b60e997
Instruction ID: 7a1c5df01da48ebf43aec7f2b228f48f0959759a6a2e7c1f9ee2fea26b451f5c
Opcode Fuzzy Hash: 2f6feb7bbba6d9a36e0d194ad22fa1ca21480b95abaa030f12a0b4cd2b60e997
Instruction Fuzzy Hash: 5531C37695422087C724CF18CC926B772F2FF66360B0D912CF8968B3A1E735A980C355

Function 0062095B Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

q, xrefs: 00620A53

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-389260800
Opcode ID: fd89b0ac61635f8e31948339efb294c4e165623bb205d73bc02341a6779d1e94
Instruction ID: 47d1229a58037b815096043246ca0b5dc4f048247ee28b7585a5ed01f62f5551
Opcode Fuzzy Hash: fd89b0ac61635f8e31948339efb294c4e165623bb205d73bc02341a6779d1e94
Instruction Fuzzy Hash: A53136B0605B508BDB28CF20D8D1A567BB2BB45300F54999CD9478FB8BC33AE546CB95

Function 00617031 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

|[f, xrefs: 00616F6F

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: |[f
API String ID: 0-1597245652
Opcode ID: 94d720820091ecce57fd7fb1e02fc2a10f603433bc67df24c1dd22b15cc1f91f
Instruction ID: 57fe72ad69ba5ceda90f91757d49772e29caad8760dad25553115cefa38cb445
Opcode Fuzzy Hash: 94d720820091ecce57fd7fb1e02fc2a10f603433bc67df24c1dd22b15cc1f91f
Instruction Fuzzy Hash: 1EE0C23D242502CF8B08DB19F8A1AB56363EB86709BAC711CF812C7B64C624A882DB14

Function 00607E10 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83622410ff41487bf125e1c11d66996ff3ae748d359dbd726af2f124ffe188aa
Instruction ID: 1cfc7081b8fd93316fd42dfd50d6fd0c498aefe1ea41cf2191792cf8cd2187f3
Opcode Fuzzy Hash: 83622410ff41487bf125e1c11d66996ff3ae748d359dbd726af2f124ffe188aa
Instruction Fuzzy Hash: 2052C031A487158FC768DF58D8806ABB3E2FFD4314F29892DD9C287391EB34A955CB42

Function 00603390 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4bd60441f4d9a148eade4c1ee339b3a455c5a65b59791d18d12e27629b9d59
Instruction ID: fc6c6c5565c98677d54ea867c8e6f04e5ca38d66f25127d4d6b39d2b7e7a861e
Opcode Fuzzy Hash: 3e4bd60441f4d9a148eade4c1ee339b3a455c5a65b59791d18d12e27629b9d59
Instruction Fuzzy Hash: 3F62A3715483618FC719CF19C0806AAB7E6FF98315F188AADE4D89B382D375ED46CB81

Function 00603E20 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10728f2fdb3c82ed86ad80418d99a9f99a3d8e122e006348203d38bfbab1a8e3
Instruction ID: d4fe7b5feb5f25a9a177071ecfcc2cb830b6f29f6a2b65352afa4aff74d79ab8
Opcode Fuzzy Hash: 10728f2fdb3c82ed86ad80418d99a9f99a3d8e122e006348203d38bfbab1a8e3
Instruction Fuzzy Hash: 474236B0554B118FC328CF29C99066BBBF2FF95310B608A2DD6978BB90DB35B945CB10

Function 00606200 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd1fb4559eb3b5879a4cf4f469239533c2d0f8da58bdd087bc8caa4b216edbd
Instruction ID: c781e412c4811064b94f39869e459ae1f4cdc6a2f4f9fc9ec91db17fcf35bcb6
Opcode Fuzzy Hash: 1cd1fb4559eb3b5879a4cf4f469239533c2d0f8da58bdd087bc8caa4b216edbd
Instruction Fuzzy Hash: 8A02C2312483418FC719CF28C88066BBBE2EF98304F59896DF9998B392D771DC15CB92

Function 00618AF0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbad3e94e5a9f7f5de47208d573d2cdf32fd8807ea27ac502defd54347f0225
Instruction ID: 819926914ea060a0050c86a46ce616b9da0783c37c38110cfa2415aa5befe173
Opcode Fuzzy Hash: 7fbad3e94e5a9f7f5de47208d573d2cdf32fd8807ea27ac502defd54347f0225
Instruction Fuzzy Hash: EBC18AB05083118BD724CF14C8A17ABB7F2FFA2354F188A1CE8D54B394E7799985CB96

Function 00608B60 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a8cfbe20685a7acaecfd507fba7407d09a65a06d1d063fb600c04dee358162
Instruction ID: d9e4abe4599a9783f1b03a33a9126986e8de732a3d139aba90aaa1fcdb658c90
Opcode Fuzzy Hash: a4a8cfbe20685a7acaecfd507fba7407d09a65a06d1d063fb600c04dee358162
Instruction Fuzzy Hash: 76D1D872A486028FC318DE29D890257FBE3AFD5360F69C75DD5D5473E6EA3488428B81

Function 006125E9 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81018694aa78c1e716461f9a8e75c36b848fc824f8e65b06c374abb3211741b4
Instruction ID: 1dacec052355104a76f500a8f38d3205e0fe309d499a51388ae7a68d05153db0
Opcode Fuzzy Hash: 81018694aa78c1e716461f9a8e75c36b848fc824f8e65b06c374abb3211741b4
Instruction Fuzzy Hash: A6514B75600B418FC325CF29C490AA3B7E7FB89320B18992DD496C7B91EB34F895CB80

Function 006147AF Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b019692425a09303d39f623cd44726ac4fd58f61cf1254e5f0b9d3ec104b8a
Instruction ID: 1785b84651646ce35cb2b83a0f0f975988f221d3549e05be29c5129f8c13130e
Opcode Fuzzy Hash: 93b019692425a09303d39f623cd44726ac4fd58f61cf1254e5f0b9d3ec104b8a
Instruction Fuzzy Hash: 28518DB0600B418FD725DF25C4807A7B3E6AF89310F188A2DD4AB87781EB70F885CB94

Function 0062D9A0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a77e03b9ec93c491432ccf29bf4971831dd60c9a72ab418a1cdfe84afe96e
Instruction ID: 332d1a3ec9bbca0579d83ecc40be5062efef75252c00481f1c0fb84b3d28bfe8
Opcode Fuzzy Hash: b14a77e03b9ec93c491432ccf29bf4971831dd60c9a72ab418a1cdfe84afe96e
Instruction Fuzzy Hash: 52518CB19087558FE714DF29D8A075BBBE1AB84308F108D2DE4E583391D775DA09CF92

Function 00611600 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ff072b905ab41a43a263bd51dabac0fe720d5423ab91b7ff52faddedb8dc34
Instruction ID: 950ad4b527fc9b08ae2e43afeebb0388f8b8185db48647a3e08fd5581c6cfd5b
Opcode Fuzzy Hash: 25ff072b905ab41a43a263bd51dabac0fe720d5423ab91b7ff52faddedb8dc34
Instruction Fuzzy Hash: FE412472A1C2A44BD3488E398C903BABAD2ABC6310F1C876EF5D5CB3D0D675C985D791

Function 00602FB0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7b9edd057f0bd4ebd6d878b4c367c2736961421c73129eb45130ce626aa877
Instruction ID: b7966e6b1ee8921c24dc94f11834b4640cfedc86d5c4c315814daac89c98e061
Opcode Fuzzy Hash: 8d7b9edd057f0bd4ebd6d878b4c367c2736961421c73129eb45130ce626aa877
Instruction Fuzzy Hash: 2621F63169917107CB0CCA36D8E06B77B93D7C632271E92AEDA83473D5CA399909C760

Function 006088C0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7b8f47dfd71d7cccb983fbf7aaa8102b2f4aceb73621c04df20fc30f488878
Instruction ID: 56438ec0bd580c8a5a08968357f91ad2cd9533eadb321e2796e2d87c58011093
Opcode Fuzzy Hash: fe7b8f47dfd71d7cccb983fbf7aaa8102b2f4aceb73621c04df20fc30f488878
Instruction Fuzzy Hash: D221A4268897E149C73FC53C40A0477FED258A622935E86EED8E657383C8168886D3E6

Function 006089A0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27196f8ff10a336b0c0aaca2e1a977e1861f62a8436cdef7aa3826bbf0062200
Instruction ID: 8b86453bfb6e478939574ea4e2a35ee200d1a6957bafcb606aff6e3978acd3ea
Opcode Fuzzy Hash: 27196f8ff10a336b0c0aaca2e1a977e1861f62a8436cdef7aa3826bbf0062200
Instruction Fuzzy Hash: 3C11C63668A6844D873DD91C8851CB7BA4685B630475E81EFE98997793CC15CC0AC26A

Function 0061504F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7704065a3f17410aa70789dba6da9b466a407180359547efc14c7a24cc0a5add
Instruction ID: 60bae19527007927a1e885cae01f4e76969dd2078e4b3639692c9a1bc0c5390c
Opcode Fuzzy Hash: 7704065a3f17410aa70789dba6da9b466a407180359547efc14c7a24cc0a5add
Instruction Fuzzy Hash: 351190313467814FD36A8B24C865BE6BBF1AF47310F08046EC4DBC7682CA286855CB46

Function 00627386 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b636913788da2555a7993620c85a1c07fa82ee2841d816320263c6520b4690f7
Instruction ID: 2e9aa600a088ffc9b82c74aa3fde0f2d8fbf0eaea93fb1809dfb73ec43c238a1
Opcode Fuzzy Hash: b636913788da2555a7993620c85a1c07fa82ee2841d816320263c6520b4690f7
Instruction Fuzzy Hash: D7F049711087418FC312CF34C955A8BBBF6BF89300F168A6ED49987251D774B609CB82

Function 0063276D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d433e8337907ec1fe44dfbb9c5c1afca368722fe33ce722c12ef47d1994c33
Instruction ID: 02828c3c5796f887443de39551c5ec8e2fa5933fd16d14a138a7acadbfc4cf1c
Opcode Fuzzy Hash: 45d433e8337907ec1fe44dfbb9c5c1afca368722fe33ce722c12ef47d1994c33
Instruction Fuzzy Hash: 60D0C784A500A047CB08AB32AC0AE333E2B8ED3383B0C6008F0829728AE434C1209279

Function 00632C90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76890c10a18591d1ad73998eda5c7e73c1d9b690128e7d0f9b5f7edfbb0604a7
Instruction ID: 9aa8767c09c521729ba3c95fb3e364d4b2b1dcea3323284b136c9fc7ce8899a5
Opcode Fuzzy Hash: 76890c10a18591d1ad73998eda5c7e73c1d9b690128e7d0f9b5f7edfbb0604a7
Instruction Fuzzy Hash: 2CC080245541845747249F16EC46C737B3DD64764CB003015D557D7241C911D8C085F9

Function 006332E1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96acdc83bb26c52daa0348bede7862ecf484d4c584e6406ef5c09f1726e2006d
Instruction ID: b16bdb7b29cb66f8b4f80a2b8880460ecdd2db3f45a6ab22ba1e5b0e965246dd
Opcode Fuzzy Hash: 96acdc83bb26c52daa0348bede7862ecf484d4c584e6406ef5c09f1726e2006d
Instruction Fuzzy Hash: 71C0027D9091408B878CCF01D8904B5F377EBDB214B19B449DC422775AD670E8529A48

Function 0060BEDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eeb12cff70206765f34a46655f0130863cedbe3ff55d9b1c19124016bbe78a9
Instruction ID: 2f71b5f4ccb087923b2d340ef6417e04bce4696cf43fc78244a4a49fccd919df
Opcode Fuzzy Hash: 5eeb12cff70206765f34a46655f0130863cedbe3ff55d9b1c19124016bbe78a9
Instruction Fuzzy Hash: 6CD05E305401818FC7599E38C2ABB80B7E1AF09200F8944ADD88B8F686CB2062008A10

Function 0061CA30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0061CB64
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0061CB93

Strings

qs, xrefs: 0061CA6F
eI.K, xrefs: 0061CA5F
]_, xrefs: 0061CBA1

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: eI.K$]_$qs
API String ID: 237503144-625656762
Opcode ID: d46ac84a83e07fa0994295205b886c8e263c59c6bfb8a561654537cf9f0205fe
Instruction ID: e922934556e7637864377505b83e97a4f3c812eb72ad6eb2e3ca4343d272bc96
Opcode Fuzzy Hash: d46ac84a83e07fa0994295205b886c8e263c59c6bfb8a561654537cf9f0205fe
Instruction Fuzzy Hash: 8A5142B1108342ABD304CF15C891B9BBBF5EF867A4F144E2CF8A48B391D378D9458B96

Function 006164F5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00616728
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00616764

Strings

qrs, xrefs: 00616793

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: qrs
API String ID: 237503144-2859022563
Opcode ID: b97c3b5320e30ff43b089c6687dab28bf0f1f02cc7642191862d83cdb8041860
Instruction ID: eaaa3cf73eb41a2d9926bf955467544bf489646a90031c21d5468cc12d8754d9
Opcode Fuzzy Hash: b97c3b5320e30ff43b089c6687dab28bf0f1f02cc7642191862d83cdb8041860
Instruction Fuzzy Hash: 69C17EB5901B009FD760CF29C882763BBF6FF49324F14561DE99A8B7A0E335A445CB92

Function 00618FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0061900A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00619038

Strings

<u0, xrefs: 00619063

Memory Dump Source

Source File: 00000003.00000002.2348269391.0000000000600000.00000040.00000400.00020000.00000000.sdmp, Offset: 00600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_600000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: <u0
API String ID: 237503144-3891312201
Opcode ID: 823aeeb3a768449b45089cbabdf0ae8ed59bcf0d13ee86fef3cc05bcf2c696d5
Instruction ID: d70da2d3ed91f738239dc2efdbf824036dfbb3ade98713e14b9129d00822354a
Opcode Fuzzy Hash: 823aeeb3a768449b45089cbabdf0ae8ed59bcf0d13ee86fef3cc05bcf2c696d5
Instruction Fuzzy Hash: DE0104316403047FE3109B288C86FB7727EDB86B64F541218FA21CB2C1E770B90886F5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_476.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

UDP Packets

Windows Analysis Report
LisectAVT_2403002A_476.exe

Function 00633EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
nativememoryCOMMON

Function 00630E9D Relevance: 6.1, APIs: 4, Instructions: 127
nativememoryCOMMON

Function 006317F2 Relevance: 6.1, APIs: 4, Instructions: 121
nativememoryCOMMON

Function 006341A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
nativememoryCOMMON

Function 00634090 Relevance: 3.1, APIs: 2, Instructions: 85
nativememoryCOMMON

Function 00616010 Relevance: 3.1, APIs: 2, Instructions: 69
nativememoryCOMMON

Function 0060A7C0 Relevance: 3.0, Strings: 2, Instructions: 534
COMMON

Function 00631E75 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 126
COMMON

Function 00631A16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66
libraryCOMMON

Function 00631B55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
libraryCOMMON

Function 006090A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Function 0062F857 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
memoryCOMMON

Function 0063152A Relevance: 1.6, APIs: 1, Instructions: 93
libraryCOMMON

Function 006322B5 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON