Edit tour

Windows Analysis Report
LisectAVT_2403002A_214.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_214.exe
Analysis ID:	1482414
MD5:	0550a11fcb665292ced7ad22a049d5c0
SHA1:	353afdabcae90759cce29fe7274bc1bf32e53fce
SHA256:	f373d495ed5e7f60ebf172abf2764fb385addf399a66aefef7f02f4fbb837e0b
Tags:	exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_214.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_214.exe" MD5: 0550A11FCB665292CED7AD22A049D5C0)

BitLockerToGo.exe (PID: 7832 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "lighterepisodeheighte.fun"], "Build id": "VcS1Q5--newfile"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_214.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1379836943.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000000.00000002.1619703472.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: LisectAVT_2403002A_214.exe PID: 7392	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.668122+0200
SID:	2050956
Source Port:	63245
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.640944+0200
SID:	2050953
Source Port:	50217
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.605777+0200
SID:	2050955
Source Port:	52392
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.630606+0200
SID:	2051473
Source Port:	59977
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T22:38:49.620341+0200
SID:	2022930
Source Port:	443
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.618320+0200
SID:	2050996
Source Port:	59523
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.682272+0200
SID:	2050952
Source Port:	57670
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fun) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.244473+0200
SID:	2051470
Source Port:	56007
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T22:38:53.593216+0200
SID:	2050998
Source Port:	49180
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T22:39:27.121641+0200
SID:	2022930
Source Port:	443
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_214.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://lighterepisodeheighte.fun/api	Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/api	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/api/F	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop//P	Avira URL Cloud: Label: malware
Source: technologyenterdo.shop	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop//	Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/apiG	Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/j	Avira URL Cloud: Label: malware
Source: associationokeo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.LisectAVT_2403002A_214.exe.c000ce4000.2.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "lighterepisodeheighte.fun"], "Build id": "VcS1Q5--newfile"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: associationokeo.shop
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pooreveningfuseor.pw
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: detectordiscusser.shop
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: problemregardybuiwo.fun
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lighterepisodeheighte.fun
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: technologyenterdo.shop
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lighterepisodeheighte.fun
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VcS1Q5--newfile

Source: LisectAVT_2403002A_214.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_214.exe, 00000000.00000002.1611505464.000000C001180000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_214.exe, 00000000.00000003.1600663939.00000217FBA10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_214.exe, 00000000.00000002.1611505464.000000C001180000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_214.exe, 00000000.00000003.1600663939.00000217FBA10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	5_2_0016A560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ecx-08h], CCC8066Ah	5_2_001917F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	5_2_00177031
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000128h]	5_2_0017504F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 0AB35B01h	5_2_0017418B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	5_2_0017F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	5_2_0017F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00176266
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	5_2_001932E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	5_2_00179350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edx+ebp], al	5_2_00163390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	5_2_001943C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc edi	5_2_001725E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	5_2_0018466A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	5_2_0018466A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	5_2_0017B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], A352EDFDh	5_2_0017B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ebx]	5_2_0019276D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi], ebp	5_2_001617A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+000001B0h], 00000000h	5_2_001747AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax], 0000h	5_2_001737F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	5_2_001688C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+40h]	5_2_0018095B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	5_2_0017E960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx+ebp], bl	5_2_001689A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	5_2_00184A1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	5_2_00178AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	5_2_00181B6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	5_2_00181B6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], dl	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], dl	5_2_00182C0D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	5_2_00169C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	5_2_00192C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ecx+eax+01h], 00000000h	5_2_00171CFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	5_2_00183DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	5_2_00183DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	5_2_00193DE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+60h]	5_2_00177E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	5_2_00177E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	5_2_00176EA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000BCh]	5_2_0017BF40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: problemregardybuiwo.fun
Source: Malware configuration extractor	URLs: lighterepisodeheighte.fun
Source: Malware configuration extractor	URLs: technologyenterdo.shop
Source: Malware configuration extractor	URLs: lighterepisodeheighte.fun

Source: unknown	DNS traffic detected: query: problemregardybuiwo.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lighterepisodeheighte.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: technologyenterdo.shop replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: lighterepisodeheighte.fun
Source: global traffic	DNS traffic detected: DNS query: technologyenterdo.shop
Source: global traffic	DNS traffic detected: DNS query: problemregardybuiwo.fun
Source: global traffic	DNS traffic detected: DNS query: detectordiscusser.shop
Source: global traffic	DNS traffic detected: DNS query: edurestunningcrackyow.fun
Source: global traffic	DNS traffic detected: DNS query: pooreveningfuseor.pw
Source: global traffic	DNS traffic detected: DNS query: turkeyunlikelyofw.shop
Source: global traffic	DNS traffic detected: DNS query: associationokeo.shop

Source: LisectAVT_2403002A_214.exe	String found in binary or memory: http://beego.me/docs/advantage/monitor.md
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: http://beego.me/docs/module/toolbox.md
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: http://man7.org/linux/man-pages/man5/machine-id.5.htmlSpec
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//P
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/api
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/api/F
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/apii
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://database.usgovcloudapi.net/Items
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/api
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/j
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/api
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/apitS
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdAPIVersions
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdContainer
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdList
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdPersistentVolume
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/mysql-cinder-pd/README.mdResourceClaimName
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itOptional:
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itgroup
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-ituser
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podA
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podIngress
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podWhether
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podpodIPs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.mdIf
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/glusterfs/README.mdRegisting
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itA
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itForce
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itGo
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itName
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://examples.k8s.io/volumes/rbd/README.md(?
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-cont
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotencyContr
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataAPIVersi
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataFlexPers
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataIndicate
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataName
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataStatus
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadatalimit
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadatareadOnly
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcesStatefu
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusG
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusH
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusI
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusK
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusL
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusM
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusN
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusR
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusS
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusT
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusW
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusa
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusp
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statust
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindscurre
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsresou
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsvolum
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.mdSecretReference
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-classNamespace
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.mdEntrypoint
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwordsreadOnly
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/strict-mode
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/kubernetes-sigs/windows-gmsa)
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/otan/gopgkrb5cannot
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/d
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://gohugo.io/methods/page/path/readOnly
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://golang.org/doc/faq#nil_errorcannot
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://golang.org/pkg/unicode/#IsPrint.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://issues.k8s.io/61966Path
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/architecture/nodes/#capacity
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/The
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/If
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/Represents
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/The
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/nodeAffinity
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesValue
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/secretID
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/configuration/secretIPFamilyPolicy
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooksHostProcess
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/images
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/images.PodSecurityContext
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-podSchedulin
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/containers/imagesOS
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#addresses
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#conditionKind
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#infomust
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/nodes/node/#phase
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations(?
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsImmutable
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorslocalhostPr
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/labelsThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesRepresents
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesVerbs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsReceived
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names0?
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#namesstoragePolicyID
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uidsSpecifies
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/Deprecated:
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/DeprecatedServiceAccoun
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespacesmode
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/policy/resource-quotas/List
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/policy/resource-quotas/secretRef
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/policy/resource-quotas/volumeName
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-serviceMaxSkew
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-typesco
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeportUse
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies(?:(
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesClus
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesSpec
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesdata
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/services-networking/service/An
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1Status
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modesemptyDir
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityHost
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1Please
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesOwnerReference
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesTTY
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsA
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsName
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsPeriodic
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsServiceAccount
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-optionsDeprecated.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumesItems
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/persistent-volumesfsType
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstoreBounded-sized
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstoremountOptions
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstoreordinals
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#emptydirglusterfs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#emptydirmatchLabels
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#emptydirpersistentVolumeReclaimPolicy
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskStatus
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskWhenScaled
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskpersistentVolumeClaimVolumeSour
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#hostpathA
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#hostpathName
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#hostpathThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#iscsi(?=
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfsDeprecated.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfsResources
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#nfsverbs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#rbdEstimated
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#secret
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumes#secretmonitors
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/storage/volumesSpecifies
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/Represents
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/glusterfs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/spec
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-ow
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/EndpointSubset
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/If
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/Route
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templateTolerati
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templatekind
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicatio
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicati
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontrollerHostAlias
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesCount
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesMemory
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesSpecifies
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesstatus
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-statusLimits
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsA
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsIf
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsMinimum
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phaseThe
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policySupports
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classesversion
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/Pod
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/secretFile
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/GroupVersion
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/Estimated
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/
Source: BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607127000.00000000005AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/api
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/apikFz
Source: BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607127000.00000000005AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/apir
Source: BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607127000.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lighterepisodeheighte.fun/z:
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://management.azure.comproto.HydratedTemplateButtongob:
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netk8s.io.api.apps.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://management.core.windows.net/https://management.chinacloudapi.cn/https://servicebus.chinaclou
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://microsoftgraph.chinacloudapi.cnk8s.io.api.apps.v1.StatefulSetConditionsucceeded
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://ossrdbms-aad.database.windows.nethttps://management.core.chinacloudapi.cn/https://ossrdbms-a
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api/
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://pr.k8s.io/79391
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://problemregardybuiwo.fun/X
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://problemregardybuiwo.fun/apiz
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://technologyenterdo.shop/api
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://technologyenterdo.shop/apidown
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://tools.ietf.org/html/rfc4648#section-4Expanded
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/api
Source: BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607255184.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/apiG
Source: BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/apiire
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.com&ControllerRevisionList
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://web.whatsapp.comserver
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://www.iana.org/assignments/service-names).
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc6455
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc7540

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_00188090 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

5_2_00188090

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00176010 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00176010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001941A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001941A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001914BF NtOpenSection,	5_2_001914BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001916EC NtMapViewOfSection,	5_2_001916EC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001917F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001917F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001919B2 NtClose,	5_2_001919B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00190E9D NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00190E9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00193EB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00193EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017B06E NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017B06E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00194090 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00194090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001900A0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtFreeVirtualMemory,	5_2_001900A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001790C1 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001790C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018513A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018513A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017418B NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017418B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001771B9 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001771B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017F212 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001942B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001942B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017E3B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017E3B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001763BC NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001763BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017C3B8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017C3B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001943C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001943C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017C4BB NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017C4BB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017E4F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017E4F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00194530 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00194530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001815A3 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_001815A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00194820 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00194820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018F880 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018F880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017A8E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017A8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017F930 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017AAF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0017AAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00179B1C NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00179B1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00177B38 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00177B38
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00173B44 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00173B44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018FB40 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018FB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00194B90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00194B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018DC00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018FCA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018FCA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018FD90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018FD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00176EA2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00176EA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00184EE6 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00184EE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018FF90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_0018FF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00194F90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00194F90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00184FDC NtAllocateVirtualMemory,NtFreeVirtualMemory,	5_2_00184FDC

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0016A7C0	5_2_0016A7C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00161000	5_2_00161000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018513A	5_2_0018513A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017F212	5_2_0017F212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018520B	5_2_0018520B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00166200	5_2_00166200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001852A9	5_2_001852A9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00163390	5_2_00163390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00165450	5_2_00165450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00171600	5_2_00171600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017B6E2	5_2_0017B6E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_001667F0	5_2_001667F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00172823	5_2_00172823
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00164820	5_2_00164820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0017F930	5_2_0017F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0018D9A0	5_2_0018D9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00168B60	5_2_00168B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00194B90	5_2_00194B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00182C15	5_2_00182C15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00183DC0	5_2_00183DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00167E10	5_2_00167E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00163E20	5_2_00163E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00177E5F	5_2_00177E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00162FB0	5_2_00162FB0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 001688A0 appears 44 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 001691B0 appears 146 times

Source: LisectAVT_2403002A_214.exe

Static PE information: Number of sections : 12 > 10

Source: LisectAVT_2403002A_214.exe, 00000000.00000000.1382402676.00007FF6118FE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename2024archivefrapendiente.exe`> vs LisectAVT_2403002A_214.exe
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1611505464.000000C001180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_214.exe
Source: LisectAVT_2403002A_214.exe, 00000000.00000003.1600663939.00000217FBA10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_214.exe

Source: LisectAVT_2403002A_214.exe

Binary string: flate: maxBits too largeGetProcessImageFileNameWinvalid tracestate value\Device\NamedPipe\cygwinstreamSafe was not resetREFUND_FAILED_PROCESSINGVERIFIED_INITIAL_UNKNOWNGROUP_CHANGE_INVITE_LINKGROUP_CHANGE_DESCRIPTIONGROUP_PARTICIPANT_REMOVEGROUP_PARTICIPANT_DEMOTEGROUP_PARTICIPANT_INVITEINDIVIDUAL_CHANGE_NUMBERBIZ_MOVE_TO_CONSUMER_APPGROUP_V4_ADD_INVITE_SENTCHANGE_EPHEMERAL_SETTINGproto.HydratedCallButtonproto.SendPaymentMessageproto.GroupInviteMessagenon-empty decoder bufferencodeArray: nil elementno multiplexing ID foundUnknown address type: %sNested channel(id:%d) %sMalformed method name %qBad 'interval' param: %sTotal number of mallocs.key %q is not lower caseinvalid argument type %Tinvalid field number: %dcould not resolve %q: %vItems is a list of Roles&ClusterRoleBindingList{^[A-Za-z_][A-Za-z0-9_]*$gorm:skip_query_callbacktimestamp with time zoneprimary key can't be nilgorm:started_transactionexpected a slice, got %TValue kind is %s, not %sGODEBUG sys/cpu: value "", required CPU feature

Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1601119337.000000C0002C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .svgfilenameAATT.csprojfilenamefilename.cAATTfilename.htext/typescriptfilename.idc.vcxprojfilename.x[bp]mAATT.fsprojtext/xml\
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1601119337.000000C0002C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .csprojfilenamefilename.c
Source: LisectAVT_2403002A_214.exe	Binary or memory string: <filename>*.csproj</filename>

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@8/0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_00187386 CoCreateInstance,

5_2_00187386

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

File created: C:\Users\Public\Libraries\nfkba.gif

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

File opened: C:\Windows\system32\0a2aa9af1ac0c82d9411875aa6fb7e19797ecf62d29149e7cb144117185745acAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: LisectAVT_2403002A_214.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_214.exe	String found in binary or memory: baseProfiletter-spacinglyph-orientation-verticalignment-baseline-shiftext-anchorx1buffered-renderingclip-patheightext-decorationclip-rulenable-backgroundisplay1contentScriptTypecontentStyleTypecursory2fill-ruleflood-color-interpolation-filterscriptext-renderingflood-opacitypefont-familyfont-size-adjustop-colorfont-stretchrefeImagefont-stylefont-variantfont-weightforeignObjectimage-renderingmarker-endominant-baselinemarker-midmarker-startmaskerningmetadatamissing-glyph-orientation-horizontalighting-color-profilepatternpointer-eventshape-renderingpointsolid-color-renderingpolygonpolylinepreserveAspectRatioverflowhite-spacestop-opacitystroke-dasharraystroke-dashoffsetstroke-linecapaint-orderstroke-linejoinstroke-miterlimitstroke-opacitystroke-widthsvgswitchsymbolunicode-bidirectionusevector-effectversionviewBox2viewport-fill-opacityvisibilityword-spacingwriting-modefsolid-opacityxml:space
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: -ms-filteradial-gradientext-emphasis-colorgbackground-attachmentext-indentext-justify-contentext-kashida-spacelevationavajowhitext-decoration-line-heightext-overflow-xx-largerichnessaddlebrowno-repeat-yanimation-namespacenteruby-overhangainsborosybrownanimation-play-statext-align-lastresscrollbar-arrow-coloruby-positionanimation-timing-functionazimuthoneydeword-breakbackground-originclude-sourcebackground-position-xbackground-position-ybackground-repeat-xbackground-sizebehaviorblackblanchedalmondarkblueboldarkcyanimation-delayer-background-colorborder-bottom-colorborder-bottom-stylemonchiffont-faceborder-bottom-widthslavenderblushborder-box-shadoword-spacinghostwhitext-decoration-colorborder-collapseashellawngreenborder-colorborder-left-colorborder-left-styleborder-left-widthborder-right-colorborder-right-styleborder-right-widthborder-spacingrid-areanimation-durationormalphacceleratorphansandybrownonempty-cellsans-serifantasyborder-styleborder-top-colorborder-top-styleborder-top-widthborder-widthburlywoodarkgoldenrodarkgraycaption-sideepskybluecaret-colorchartreusechocolatext-autospaceclampadding-boxclearcolumn-counter-resetransition-propertycolumn-rule-colorcolumn-rule-stylecolumn-rule-widthcolumn-widthcornflowerbluecornsilkcue-aftercue-beforestgreenvisibilitycurrentcolorcursivecursordarkvioletdocumentdodgerbluedpcmargin-topadding-rightdpitch-rangedppxflex-growflex-shrinkflex-wrapadding-topage-break-afterfloattransition-delayer-background-imagefloralwhitesmokeyframescrollbar-dark-shadow-colorfont-familyfont-size-adjustify-itemscrollbar-face-colorfont-stretcharsetfont-stylefont-variantiquewhite-spacefont-weightfuchsianimation-fill-modeeppinkhz-indexx-smalleroyalbluegrid-column-gapage-break-beforegrid-column-startgrid-row-endarkolivegreengrid-row-gapage-break-insidegrid-row-startgrid-template-areascrollbar-track-colorgrid-template-columnsolidarkorangeredarkgreenyellowgreengrid-template-rowspeak-headerimportantinheritinitialicebluevioletter-spacingrid-auto-columnscrollbar-highlight-colorinvertical-align-itemspeak-numeralayout-grid-char-spacingrid-auto-flowjustify-selfirebricklayout-grid-line-breaklayout-grid-modegrid-auto-rowscrollbar-shadow-colorlayout-grid-typeachpufflex-basiscrollbar-base-colorlightbluelightcoralign-selflex-directionlightcyanimation-directionlightgoldenrodyellowlightgraylightgreenlightpinklightsalmonlightseagreenlightskybluelightslatebluelightsteelbluelightyellowlimegreenlinear-gradientlist-style-imagelist-style-positionlist-style-typelocalcadetbluemaskmax-heightmax-widthmediumaquamarinemediumbluemediumorchidarkorchidarkkhakime-modefaultransition-timing-functionmediumpurplemediumseagreenmediumslatebluemediumspringgreenmediumturquoisemediumvioletredarksalmonospacemidnightbluemin-heightmin-widthmintcreamarker-offset-anchormistyrosemmarkspeak-punctuationmoccasindianredarkseagreenoffset-distanceoffset-pathoffset-positionoffset-rotatext-decoration-styleolivedrabackground-clipadding-bottomargin-rightransition-durationoutline-coloroutl
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: ipconfigfc00::/7ff00::/8100::/64yamux:%sbalancerchannelz%s -> %scode: %smax_idleerrs<10serrs<10merrs<10hall timedistTmplseveritymemstatsGODEBUG=tdewolffMin %s%sMax %s%scalendardemotypeRSS homelayouts/keywordsTopRightGaussianBlackmanBartlettmodifiedassoc-ifbit-nandbit-orc1bit-orc2char-intclass-ofcomplexpcopy-seqcount-ifdescribefceilingimagpartintegerpkeywordpldb-testlogandc1logandc2logcountmap-intomismatchnbutlastnoteverynreversepackageppathnamepositionproclaimrationalrealpartstring<=string>=string/=subst-ifsubtypeptruenameunexportuninterny-or-n-pmacroletdefclassdefmacrotypecaseoptimizesequencecl-blockcl-callfcl-defuncl-ecasecl-fletcl-letfcl-progvcl-psetfcl-psetqdefgroupdefsubstdefthemenoreturndefconstautoloadcar-safecdr-safecharsetpcommandpcopysigndowncasefile-aclfont-getfont-putgap-sizeget-bytemapatomsmax-charoverlaypprocessppurecopyrecentersetplisttime-addtty-typeuser-uiddefaliasfeaturephtml+kid.sveltepackage \{(?=\s)\s+#.\n/[^\s#]variable[^#$\s]+0b[01_]+abstract\.[0-9]+(?:if)\b(?:do)\b(?:in)\bdo-whilecase-sepcall-sep[^\\\s]+wheneverCallablecompilerCompUnitCX::WarnCX::TakeCX::RedoCX::NextCX::LastCX::EmitCX::DoneEncodingIO::PathIO::PipeIO::SpecIterableIteratorJunctionlonglongRationalSequenceSupplierSystemicVariableWhateverabsoluteaccessedadd_roleaddendumallocateantipairarchnameassumingbail-outbasenameBIND-KEYBIND-POSbind-udpcallsamecallwithclassifycodenamecomposercontainscontentscurupdirdaycountDEFINITEdefiniteEVALFILEexitcodeexpectedFALLBACKhardwarehh-mm-ssinfinitecicumfixinvocantis-primeiteratorlastcalllives-okmaxpairsminpairsnew_typenextsamenextwithon-closeos-errorpackagespath-sepprematchprint-nlprint-topull-onepush-allrelativeRUN-MAINsamecasesamemarksamewithset_nameset_authshort-idsink-allskip-onesplitdirsubparsetertiarythrottletimezoneto-posixtrailingtypenameundefineunimatchuninamesuniparseunipropswordcasewrite-to#[^\n]$(:)(\w+)\$[/!
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraDeprecatedOther_MathRIPEMD-160.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOTtable nameone_outputUSERDOMAINres binderres masterresumptionexp masterConnectionlocal-addrimage/webpaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookie; HttpOnlybytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: bad kind: %sunknown nameavx5124fmapsavx512bitalgempty objectraw-protobufplugin.protologrus_errorPdhOpenQuerynotificationmessage_infomatched-textannouncementfirst_usable192.0.2.0/242001:10::/2864:ff9b::/96192.0.0.0/29192.0.0.0/24plugin.EmptyListenSocketNormalSocketgrpc-messagegrpc-timeoutGrpc-Messagesitemapindextaxonomytermadjust-arrayalpha-char-papropos-listassoc-if-notbit-vector-pchange-classclear-outputcompile-filecount-if-notdecode-floatdigit-char-pfill-pointerfind-packagefind-restartfloat-digitsforce-outputhash-table-pintersectionlower-case-pmachine-typemake-packagepackage-nameprint-objectrestart-nameslot-missingslot-unboundstring-equalstring-lesspsubst-if-notsymbol-plistsymbol-valueupper-case-pwrite-stringdefparameterhandler-bindhandler-caserestart-bindrestart-case&environmentsingle-floatdouble-floatsimple-arrayreader-errorstream-errorunbound-slotrandom-statecl-defstructcl-etypecasecl-eval-whendefvar-localdont-compilelexical-letoref-defaultoset-defaultpcase-dolistwith-timeoutsetq-defaultassoc-stringcall-processcase-table-pchar-charsetchar-table-pclear-stringcolor-gray-pcurrent-timedelete-fielddelete-framedo-auto-saveerase-bufferfield-stringfont-match-pfontset-fontfontset-infofontset-listforward-charforward-lineforward-wordframe-live-pgap-positionimage-mask-pkill-processload-averagelookup-imagemake-overlaymemory-limitmove-overlaymsdos-memgetmsdos-memputother-bufferplist-memberpoint-markerprocess-listprocess-markprocess-nameprocess-typequit-processread-commandredraw-frameregexp-quotescroll-rightselect-frameset-file-aclstop-processstring-bytesstring-matchstring-widthsyntax-tablesystem-userswidget-applywindow-edgeswindow-framewindow-pointwindow-startwrite-regionx-list-fontsx-popup-menutext/x-gosrctext/x-perl6subdirectivenested_block[^\s#{}$\]]+^\s(\{)\s$attr-dstringattr-sstring(?:import)\bimport-identpreproc-exprtypedef-bodybracket-openclass-memberclass-method(function)\bprop-get-set(?:switch)\b(?:return)\barray-access^(#[^#].+\n)(?<!['\w:-])(?<=^\|\b\|\s)CancellationDistributionIO::ArgFilesPod::HeadingWhateverCodeexperimentalaccepts_typeadd_fallbackapp_lifetimeatomic-fetchcombinationscomposalizercompose_typedid-you-meandone-testingeval-dies-okexcludes-maxexcludes-minfull-barrierhas_accessorpostcirumfixis-leap-yearload-repo-idmethod_tablenativesizeofpackage-kindpermutationspush-exactlyread-uint128redispatcherreplace-withroutine-typeset_is_mixinsubst-mutatetotal-memorytrim-leadingtruncated-towhole-secondwrite-int128write-uint16write-uint32write-uint64metaoperatorsubstitutionsingle-quote[<>,:=.%+\|][{}()\[\]\\][\w"\-!/&;]+LITE_RUNTIMESTRING_PIECE%v: %v => %v(database)s$macroman_binarmscii8_binserverPubKeywriteTimeoutError %d: %sUNSIGNED INTSERIALIZABLEtx is closedserializableAWS StandardAWS ISO (US)ca-central-1eu-central-1eu-central-2il-central-1me-central-1auditmanagercodeartifactcodecatalystcodepipelinecognito-synccontact-lenscontroltowerdata-ats.iotdataexchangedatapipelinefinspace-apiimportexportiotanalyticsiotfleetwiseiottwinmakerkafkaconnect
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: ULwesithathuDownArrowBarDownTeeArrowExponentialEGreaterEqualGreaterTildeHilbertSpaceHumpDownHumpIntersectionLeftArrowBarLeftTeeArrowLeftTriangleLeftUpVectorNotCongruentNotLessEqualNotLessTildeProportionalRightCeilingRoundImpliesShortUpArrowSquareSubsetUnderBracketVerticalLineblacklozengeexponentialerisingdotseqtriangledowntriangleleft<![endif]-->fill-opacityfont-stretchfont-variantmarker-startstop-opacitystroke-widthunicode-bidiword-spacingwriting-modeminify-out-*bad Tc valuebad Th valuebad Tq valuebad Pq valuebad Td valuebad Ta value#ansidarkred#ansifuchsia%02x%02x%02xusingbygroupExposureTimeMeteringModeExposureModeWhiteBalanceGPSVersionIDGPSLongitudeGPSTimeStampGPSSatelitesGPSDateStampsigned shortserver errorBindComplete<(%s,%s),%s>_timestamptzCoInitializeRoInitializemonokailightparaiso-darkrainbow_dashalgol_nu.xmlcolorful.xmldoom-one.xmlfriendly.xmllovelace.xmlpygments.xmlinvalid JSONVariableDeclArgumentDeclStmt(switch ...Binding((new.target)if statement%sRawText: "^[ ]{0,3}<\?NotHumpEqualvarsubsetneqvarsupsetneqECMABoundary, unindex = Windows 1250Windows 1251Windows 1252Windows 1253Windows 1254Windows 1255Windows 1256Windows 1257Windows 1258FootnoteLinkFootnoteListTaskCheckBoxTOO_MANY_FOOlevel 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameparsing time out of range in duration is too largeDeleteServiceStartServiceWFindResourceWGetDriveTypeWModule32NextWThread32FirstRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodWTSFreeMemoryFindFirstFileWSACloseEventgethostbyaddrgetservbyportWSAResetEventWSAIsBlockingSysFreeStringSafeArrayLockSafeArrayCopyVarI2FromDateVarI2FromDispVarI2FromBoolVarI4FromDateVarI4FromDispVarI4FromBoolVarR4FromDateVarR4FromDispVarR4FromBoolVarR8FromDateVarR8FromDispVarR8FromBoolVarDateFromI2VarDateFromI4VarDateFromR4VarDateFromR8VarDateFromCyVarCyFromDateVarCyFromDispVarCyFromBoolVarBstrFromI2VarBstrFromI4VarBstrFromR4VarBstrFromR8VarBstrFromCyVarBoolFromI2VarBoolFromI4VarBoolFromR4VarBoolFromR8VarBoolFromCyVarUI1FromStrCreateTypeLibClearCustDataLoadTypeLibExVarDecFromUI1VarDecFromStrVarDateFromI1VarBstrFromI1VarBoolFromI1VarUI1FromUI2VarUI1FromUI4VarUI1FromDecVarDecFromUI2VarDecFromUI4VarI1FromDateVarI1FromDispVarI1FromBoolVarUI2FromUI1VarUI2FromStrVarUI2FromUI4VarUI2FromDecVarUI4FromUI1VarUI4FromStrVarUI4FromUI2VarUI4FromDecBSTR_UserSizeBSTR_UserFreeVarI8FromDateVarI8FromDispVarI8FromBoolVarDateFromI8VarBstrFromI8VarBoolFromI8VarUI1FromUI8VarDecFromUI8VarUI2FromUI8VarUI4FromUI8VarUI8FromUI1VarUI8FromStrVarUI8FromUI2VarUI8FromUI4VarUI8FromDecOMAP From SrcInterfaceImplStandAloneSigAssemblyRefOSEFI byte codeMIPS with FPUDebugStrippedHighEntropyVAEFI ROM imageRISC-V Low12sMIPS JMP AddrRISC-V Low 12Albanian (sq)Armenian (hy)Assamese (as)Corsican (co)Croatian (hr)Estonian (et)Galician (gl)Georgian (ka)Gujarati (gu)Japanese (ja)Kashmiri (ks)Konkani
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: /debug/events=... setting.unpublishdateinput was nilalphanumericpbyte-positionchar-downcasechar-greaterpdelete-if-notdeposit-fielddocumentationfile-positionfinish-outputmacroexpand-1make-instancemake-pathnamemake-sequencemember-if-notnext-method-pnintersectionnsubst-if-notopen-stream-pparse-integerpathname-hostpathname-namepathname-typepprint-indentpprint-linearrassoc-if-notread-sequenceremove-if-notremove-methodslot-exists-psoftware-typestring-upcasesubstitute-ifunuse-packageignore-errorsextended-charsimple-vectorstandard-charunsigned-bytecontrol-errorpackage-errorprogram-errorstyle-warningstring-streamcl-do-symbolsdefine-advicebackward-charbitmap-spec-pbool-vector-pbuffer-live-pbuffer-stringccl-program-pcharset-aftercharset-plistcopy-sequencedefault-valuedelete-regiondiscard-inputdowncase-wordend-kbd-macrofile-exists-pfile-locked-pget-file-chargnutls-deinitgnutls-errorpiconify-framekeymap-parentkeymap-promptlax-plist-getlax-plist-putmarker-buffermsdos-mouse-poverlay-listsoverlay-startposn-at-pointprocess-plistquery-fontsetread-functionread-variablerename-bufferreplace-matchselect-windowset-quit-charsort-charsetsstart-processsuspend-emacssystem-groupsterminal-listterminal-nametime-subtracttty-top-frameundo-boundaryunify-charsetunlock-bufferupcase-regionuse-local-mapuser-real-uidwindow-bufferwindow-list-1window-live-pwindow-parentwindow-systemx-file-dialogx-focus-framex-select-fontx-synchronizeforward-pointdefine-widgetcl-check-typetext/x-genshi@[^\s]+(?=\s)matcher_token[0-9]+[km]?\b^(\s)(##.)$py:[\w-]+\s=(`)([^`])(`)(?:package)\b(?:typedef)\bstring-singlestring-doublepreproc-errorabstract-bodymeta-call-sepbracket-closeoptional-expr(?:\+\+\|\-\-)bracket-checkhaxe-pre-proc^(#{2,6}.+\n)dynamic-scopeHyperWhateverIO::CatHandleIO::Path::QNXIO::Spec::QNXMONKEY-TYPINGadd_attributeatomic-assignclassify-listdays-in-montheval-lives-okpush-at-leastskip-at-leaststore-repo-idsub_signaturetrim-trailingtype_captureswrite-uint128double-quotesC?X::['\w:-]+escape-c-name(?<=<)[\|!?.]+pod-paragraphpod-formatter-bottom-stack:lang\W+(\w+)[^\\\n\[*`:]+BoxResamplingnot reachablestrings.Join(^(ax\|test)is$(octop\|vir)i$(x\|ch\|ss\|sh)$utf8_czech_ciutf8_roman_cisavepoint sp_amazonaws.comAWS ISOB (US)sc2s.sgov.govapi.detectivedkr-us-east-1dkr-us-east-2dkr-us-west-1dkr-us-west-2api.sagemakerappconfigdatabackupstoragedata.jobs.iotdirectconnectforecastqueryfrauddetectorgroundstationidentitystoreioteventsdataiotroborunnerapi-eu-west-1api-us-east-1api-us-west-2lakeformationlookoutvisionmodels-v2-lexrds.ca-west-1rds.us-east-1rds.us-east-2rds.us-west-1rds.us-west-2resiliencehubrolesanywheres3-external-1servicequotasssm-incidentsaws-cn-globalus-gov-east-1us-gov-west-1us-iso-east-1us-iso-west-1IsPlaceholderReservedNamesassertIntegerreadFieldHashskipFourBytestrySkipStringdecode base64invalid inputstruct Decodeunknown field_grpc_config.LOGGER_CLIENTLOGGER_SERVERvoor ChristusGreenwich-tydMaleisi
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine RegSetValueExWOther_ID_StartPattern_SyntaxQuotation_Markinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: stop log entryconfig_helpers:\w+(\[.+?\])?(line %d:%d): protobuf error[]ClusterRole{ResourceNames:[]RoleBinding{Required valueInternal error%v NOT IN (%v)gorm:row_queryAUTO_INCREMENTVARCHAR(65532)DEFAULT VALUES(%v.%v %s (?))RequestTimeoutRequestExpired_light_yellow_not a data URIinvalid kind: no digits readGetSystemTimesEnumPageFilesWhttp.client_ipnot a PNG file192.168.0.0/16192.88.99.0/24169.254.0.0/162001:0000::/322001:0000::/232001:0200::/48203.0.113.0/24unknown ID: %vhealth_servicegrpc-trace-binshow_sensitivewebappmanifestHannResamplingresampleFilterchar-not-equalchar-not-lesspcopy-readtablecopy-structuredelete-packageget-propertiesgraphic-char-pinput-stream-pinteger-lengthinvoke-restartlong-site-namemacro-functionmake-conditionmake-load-formmuffle-warningno-next-methodnstring-upcasensubstitute-ifpprint-newlinepprint-tabularrandom-state-preadtable-caserename-packagerow-major-arefset-differencesymbol-packagewrite-sequenceunwind-protectdo-all-symbolswith-accessorswith-open-filedynamic-extentsimple-warningbuilt-in-classstandard-classsynonym-streamtwo-way-streamcl-return-frompcase-defmacrowhile-no-inputwith-temp-filecondition-casesave-excursionbacktrace-evalbyte-to-stringcategory-tablechar-to-stringcolor-distancecompute-motioncurrent-buffercurrent-columndbus--init-busdefault-boundpdelete-overlaydelete-processdump-glyph-rowfetch-bytecodefile-regular-pfile-symlink-pfollowing-charfont-drive-otffont-xlfd-nameframe-terminalfunction-equalgfile-rm-watchgpm-mouse-stopgroup-real-gidimage-metadatamake-byte-codemake-temp-namemap-char-tablematching-parenmessage-or-boxmouse-positionmove-to-columnoverlay-bufferposition-bytespreceding-charprevious-frameprocess-bufferprocess-filterprocess-statusrecent-doskeysrecursive-editredraw-displaysearch-forwardselected-frameset-case-tableset-file-modesset-file-timesset-frame-sizeset-input-modeset-match-datasignal-processstring-to-charsyntax-table-ptry-completionunibyte-stringuse-global-mapuser-full-namew32-frame-rectwindow-fringeswindow-hscrollwindow-marginswindow-valid-pwindow-vscrollx-create-framex-display-listx-family-fontsx-get-resourcex-popup-dialog`[a-zA-Z_]\w`embedded/.xmlcomments_pop_1comments_pop_2comments_pop_3\{[\w+.\$-]+\}expr-statement(?:abstract)\b[0-9]+\.[0-9]+0x[0-9a-fA-F]+function-paramfunction-local(?:function)\barray-decl-septype-full-nametype-param-sepIO::Path::UnixIO::Spec::Unixprecompilationadd_enum_valuebase-repeatingchild-typenamecompose_valuesGENERATE-USAGEgenerate_mixinnew-from-pairsprecomp-targetqualifier-typesource-packageverbose-config(>>)(\S+?)(<<)(
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: text/javascripttext/typescriptpageSort.ByDate.File.Extension.Page.File.LangDependencyScopeaggregationRulenonResourceURLsAggregationRuleDuplicate value^[-A-Za-z0-9]+$(?i)^count(.+)$bigint unsignedRETURNING %v.%vEMBEDDED_PREFIX(%v.%v IS NULL)DROP TABLE %v%sResponseTimeoutMissingEndpoint\[[a-z0-9_-]+\]_light_magenta_avx512vpopcntdqinvalid inf.DecPluginPrivilegenet.sock.familybad IHDR lengthbad PLTE lengthbad tRNS lengthbad filter typebad IEND lengthIPv6 wrong size198.51.100.0/24plugin.ConnInfoAuthInfo is nilSERVICE_UNKNOWNunexpected flagunhandled state15:04:05.000000/debug/requestsgoogleanalyticsdisqusshortnamegoldmark.parsermenuSort.ByNameAMP single pageWelchResamplingNearestNeighborarray-dimensioncell-error-namedescribe-objectfile-namestringfile-write-datefloat-precisionhash-table-sizehash-table-testhost-namestringinvoke-debuggermachine-versionmake-hash-tablemerge-pathnamesnset-differenceoutput-stream-ppathname-deviceposition-if-notpprint-dispatchprin1-to-stringprinc-to-stringshort-site-namesimple-string-psimple-vector-pslot-makunboundstandard-char-pstring-downcasestring-greaterpsymbol-functionwild-pathname-pwrite-to-stringload-time-valuesymbol-macroletstandard-methodstandard-objectstructure-classdef-edebug-specdefine-skeletonsave-match-datawith-case-tablewith-file-modeswith-local-quitall-completionsbacktrace-debugbacktrace-framebool-vector-notcapitalize-wordcoding-system-pcompare-stringscompleting-readcopy-hash-tablecurrent-messagedefine-categorydelete-terminaldescribe-vectordirectory-filesdowncase-regionfield-beginningfile-attributesfile-readable-pfile-writable-pfont-get-glyphsforward-commentframe-parameterframe-text-colsframe-visible-pgarbage-collectget-file-buffergetenv-internalgfile-add-watchgpm-mouse-startinput-pending-pinvocation-namekey-descriptionmake-char-tablemarker-positionmatch-beginningopen-termscriptprevious-windowprocess-commandprocess-contactrecursion-depthsearch-backwardselected-windowset-cursor-sizeset-frame-widthstart-kbd-macroterminal-live-ptest-completiontool-bar-heighttrace-redisplaytrace-to-stderrupcase-initialsuser-login-namevertical-motionw32-has-winsockwindow-top-linewindow-use-timex-get-atom-namex-server-vendorxw-color-valuestext/x-markdown\[\<matcher\>\]\d+[Ee][-+]\d+iabstract-opaquetype-struct-septype-param-typeident-or-string^(\s>\s)(.+\n)IO::Path::PartsIO::Path::Win32IO::Spec::Win32ARGS-TO-CAPTUREcalling-packagecategorize-listenum_from_valueenum_value_listexport_callbackmixin_attributeoffset-in-hourspush-until-lazyset-instruments(?<!(?<!\\)\\)"\^\^\|\^\|\$\$\|\$(?<!(?<!\\)\\)<(?<!(?<!\\)\\)>pod-declaration(?<!(?<!\\)\\)'(?<!(?<!\\)\\){@(debug\|html)\b:(catch\|then)\bembedded/al.xmlembedded/c#.xmlembedded/hy.xmlembedded/io.xml^-?\d+\.?\d$%$CubicResamplingRIFF????WEBPVP8NO_SIDE_EFFECTSLEGACY_REQUIREDLENGTH_PREFIXED%d elided lines(alias\|status)$(x\|ch\|ss\|sh)es$(vert\|ind)ices$big5_chinese_cilatin2_czech_csdec8_swedish_ciswe7_swedish_cieuckr_korean_ciutf8_general_cicp1250_czech_csutf8_tolower_ciutf8_unicode_ciutf8_latvian_ci
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: text/javascripttext/typescriptpageSort.ByDate.File.Extension.Page.File.LangDependencyScopeaggregationRulenonResourceURLsAggregationRuleDuplicate value^[-A-Za-z0-9]+$(?i)^count(.+)$bigint unsignedRETURNING %v.%vEMBEDDED_PREFIX(%v.%v IS NULL)DROP TABLE %v%sResponseTimeoutMissingEndpoint\[[a-z0-9_-]+\]_light_magenta_avx512vpopcntdqinvalid inf.DecPluginPrivilegenet.sock.familybad IHDR lengthbad PLTE lengthbad tRNS lengthbad filter typebad IEND lengthIPv6 wrong size198.51.100.0/24plugin.ConnInfoAuthInfo is nilSERVICE_UNKNOWNunexpected flagunhandled state15:04:05.000000/debug/requestsgoogleanalyticsdisqusshortnamegoldmark.parsermenuSort.ByNameAMP single pageWelchResamplingNearestNeighborarray-dimensioncell-error-namedescribe-objectfile-namestringfile-write-datefloat-precisionhash-table-sizehash-table-testhost-namestringinvoke-debuggermachine-versionmake-hash-tablemerge-pathnamesnset-differenceoutput-stream-ppathname-deviceposition-if-notpprint-dispatchprin1-to-stringprinc-to-stringshort-site-namesimple-string-psimple-vector-pslot-makunboundstandard-char-pstring-downcasestring-greaterpsymbol-functionwild-pathname-pwrite-to-stringload-time-valuesymbol-macroletstandard-methodstandard-objectstructure-classdef-edebug-specdefine-skeletonsave-match-datawith-case-tablewith-file-modeswith-local-quitall-completionsbacktrace-debugbacktrace-framebool-vector-notcapitalize-wordcoding-system-pcompare-stringscompleting-readcopy-hash-tablecurrent-messagedefine-categorydelete-terminaldescribe-vectordirectory-filesdowncase-regionfield-beginningfile-attributesfile-readable-pfile-writable-pfont-get-glyphsforward-commentframe-parameterframe-text-colsframe-visible-pgarbage-collectget-file-buffergetenv-internalgfile-add-watchgpm-mouse-startinput-pending-pinvocation-namekey-descriptionmake-char-tablemarker-positionmatch-beginningopen-termscriptprevious-windowprocess-commandprocess-contactrecursion-depthsearch-backwardselected-windowset-cursor-sizeset-frame-widthstart-kbd-macroterminal-live-ptest-completiontool-bar-heighttrace-redisplaytrace-to-stderrupcase-initialsuser-login-namevertical-motionw32-has-winsockwindow-top-linewindow-use-timex-get-atom-namex-server-vendorxw-color-valuestext/x-markdown\[\<matcher\>\]\d+[Ee][-+]\d+iabstract-opaquetype-struct-septype-param-typeident-or-string^(\s>\s)(.+\n)IO::Path::PartsIO::Path::Win32IO::Spec::Win32ARGS-TO-CAPTUREcalling-packagecategorize-listenum_from_valueenum_value_listexport_callbackmixin_attributeoffset-in-hourspush-until-lazyset-instruments(?<!(?<!\\)\\)"\^\^\|\^\|\$\$\|\$(?<!(?<!\\)\\)<(?<!(?<!\\)\\)>pod-declaration(?<!(?<!\\)\\)'(?<!(?<!\\)\\){@(debug\|html)\b:(catch\|then)\bembedded/al.xmlembedded/c#.xmlembedded/hy.xmlembedded/io.xml^-?\d+\.?\d$%$CubicResamplingRIFF????WEBPVP8NO_SIDE_EFFECTSLEGACY_REQUIREDLENGTH_PREFIXED%d elided lines(alias\|status)$(x\|ch\|ss\|sh)es$(vert\|ind)ices$big5_chinese_cilatin2_czech_csdec8_swedish_ciswe7_swedish_cieuckr_korean_ciutf8_general_cicp1250_czech_csutf8_tolower_ciutf8_unicode_ciutf8_latvian_ci
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: OpenFunc not setapplication/tomlpageSort.ByTitlepageSort.ReverseTaxonomyList(%d)template: (.?):[]LabelSelector{AggregationRule:NonResourceURLs:Read after Closerecord not foundgorm:after_queryrow_query_resulttinyint unsignedtimestamp%v NULLcloudsqlpostgresconnection resetavx512vpclmulqdqinvalid name: %qmust be positiveunknown field %vinvalid code: %dInvalid level %dinvalid checksumdefaultInterfaceunsupported typegrpc_stdio.protoplugin.StdioDatainvalid msg typesession shutdown is not exportedServerName: %q, Attributes: %v, <stream: %p, %v>^{h(?::(\d+))?}$^{m(?::(\d+))?}$out of range: %qDART_SASS_BINARYmenuSort.ReverseCosineResamplingarray-dimensionsarray-total-sizecall-next-methodcompute-restartsfind-all-symbolsget-decoded-timehash-table-countlogical-pathnamemachine-instancemake-echo-streamnstring-downcasepackage-use-listparse-namestringpathname-match-ppathname-versionread-from-stringset-exclusive-orshadowing-importsoftware-versionstring-left-trimstring-not-equalstring-not-lessptype-error-datumdefine-conditionwith-open-streamarithmetic-errordivision-by-zerosimple-conditionunbound-variablebroadcast-streamgeneric-functionstructure-objectdeclare-functiondelay-mode-hookseval-and-compilepcase-exhaustivewith-temp-buffersave-restrictionadd-name-to-fileapropos-internalautoload-do-loadbuffer-file-namebuffer-substringbuffer-swap-textbyte-to-positioncategory-table-pchar-or-string-pchar-table-rangeclear-face-cacheclear-font-cachecontinue-processdecode-big5-chardecode-sjis-charencode-big5-charencode-sjis-charexpand-file-namefile-directory-pfile-system-infofont-family-listfontset-list-allformat-mode-lineframe-char-widthframe-face-alistframe-font-cacheframe-parametersframe-text-linesframe-text-widthframe-total-colsget-pos-propertyget-screen-colorinotify-rm-watchinteractive-formlocal-variable-plookup-image-mapmake-bool-vectorminibuffer-depthmsdos-mouse-initnarrow-to-regionnumber-to-stringoverlay-recenterpoint-max-markerpoint-min-markerposix-looking-atprocess-send-eofprocess-sentinelprocess-tty-nameprofiler-cpu-logregion-beginningrun-hook-wrappedset-fontset-fontset-frame-heightset-message-beepset-screen-colorset-syntax-tableset-window-pointset-window-startstring-to-numberstring-to-syntaxtty-no-underlinewindow-new-pixelwindow-new-totalwindow-old-pointwindow-parameterwindow-pixel-topwindow-top-childx-display-planesx-frame-geometryx-parse-geometryx-server-versionzlib-available-pwith-no-warningstext/html+genshiGo HTML TemplateGo Text Templatego-text-template\[[a-zA-Z_]\w\]reStructuredTextrestructuredtextnested_directivedeep_not_matcher[a-z-]+/[a-z-+]+\[(?=[^#{}$]+\])(0\|[1-9][0-9_])parenthesis-openprop-get-set-opttype-parenthesisBacktrace::FrameIO::NotificationIO::Path::CygwinIO::Socket::INETIO::Spec::CygwinMetamodel::C3MROPod::Block::CodePod::Block::Paraatomic-dec-fetchatomic-fetch-addatomic-fetch-decatomic-fetch-incatomic-fetch-subatomic-inc-fetchroles_to_composeset_composalizeruncaught_handlerweekday-of-month)\k<delimiter>)0b[01]+(_[01]+)*(?<!(?<!\\)\\)\[(?<!(?<!
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: OpenFunc not setapplication/tomlpageSort.ByTitlepageSort.ReverseTaxonomyList(%d)template: (.?):[]LabelSelector{AggregationRule:NonResourceURLs:Read after Closerecord not foundgorm:after_queryrow_query_resulttinyint unsignedtimestamp%v NULLcloudsqlpostgresconnection resetavx512vpclmulqdqinvalid name: %qmust be positiveunknown field %vinvalid code: %dInvalid level %dinvalid checksumdefaultInterfaceunsupported typegrpc_stdio.protoplugin.StdioDatainvalid msg typesession shutdown is not exportedServerName: %q, Attributes: %v, <stream: %p, %v>^{h(?::(\d+))?}$^{m(?::(\d+))?}$out of range: %qDART_SASS_BINARYmenuSort.ReverseCosineResamplingarray-dimensionsarray-total-sizecall-next-methodcompute-restartsfind-all-symbolsget-decoded-timehash-table-countlogical-pathnamemachine-instancemake-echo-streamnstring-downcasepackage-use-listparse-namestringpathname-match-ppathname-versionread-from-stringset-exclusive-orshadowing-importsoftware-versionstring-left-trimstring-not-equalstring-not-lessptype-error-datumdefine-conditionwith-open-streamarithmetic-errordivision-by-zerosimple-conditionunbound-variablebroadcast-streamgeneric-functionstructure-objectdeclare-functiondelay-mode-hookseval-and-compilepcase-exhaustivewith-temp-buffersave-restrictionadd-name-to-fileapropos-internalautoload-do-loadbuffer-file-namebuffer-substringbuffer-swap-textbyte-to-positioncategory-table-pchar-or-string-pchar-table-rangeclear-face-cacheclear-font-cachecontinue-processdecode-big5-chardecode-sjis-charencode-big5-charencode-sjis-charexpand-file-namefile-directory-pfile-system-infofont-family-listfontset-list-allformat-mode-lineframe-char-widthframe-face-alistframe-font-cacheframe-parametersframe-text-linesframe-text-widthframe-total-colsget-pos-propertyget-screen-colorinotify-rm-watchinteractive-formlocal-variable-plookup-image-mapmake-bool-vectorminibuffer-depthmsdos-mouse-initnarrow-to-regionnumber-to-stringoverlay-recenterpoint-max-markerpoint-min-markerposix-looking-atprocess-send-eofprocess-sentinelprocess-tty-nameprofiler-cpu-logregion-beginningrun-hook-wrappedset-fontset-fontset-frame-heightset-message-beepset-screen-colorset-syntax-tableset-window-pointset-window-startstring-to-numberstring-to-syntaxtty-no-underlinewindow-new-pixelwindow-new-totalwindow-old-pointwindow-parameterwindow-pixel-topwindow-top-childx-display-planesx-frame-geometryx-parse-geometryx-server-versionzlib-available-pwith-no-warningstext/html+genshiGo HTML TemplateGo Text Templatego-text-template\[[a-zA-Z_]\w\]reStructuredTextrestructuredtextnested_directivedeep_not_matcher[a-z-]+/[a-z-+]+\[(?=[^#{}$]+\])(0\|[1-9][0-9_])parenthesis-openprop-get-set-opttype-parenthesisBacktrace::FrameIO::NotificationIO::Path::CygwinIO::Socket::INETIO::Spec::CygwinMetamodel::C3MROPod::Block::CodePod::Block::Paraatomic-dec-fetchatomic-fetch-addatomic-fetch-decatomic-fetch-incatomic-fetch-subatomic-inc-fetchroles_to_composeset_composalizeruncaught_handlerweekday-of-month)\k<delimiter>)0b[01]+(_[01]+)*(?<!(?<!\\)\\)\[(?<!(?<!
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: truncated profilemalformed profileerror logging: %s:cacheDir/modules:resourceDir/_genno output formatspageSort.ByWeightpageSort.ByLengthpageSort.ByParam.&AggregationRule{&ClusterRoleList{&RoleBindingList{FieldValueTooLongFieldValueTooManyUnsupported value^[-._a-zA-Z0-9]+$must be non-emptya qualified name jinzhu/gorm/..gogorm:after_creategorm:after_deletegorm:query_optiongorm:auto_preloadSAVE_ASSOCIATIONSgorm:after_updategorm:update_attrsSELECT DATABASE()POLYMORPHIC_VALUE ) AS count_tableinvalid range: %v%s: %v is not set%%!%c(dec.Dec=%s)net.protocol.nameno data to encodeUnknown data modegrpc_broker.protostreams exhaustedkeepalive timeoutTRANSIENT_FAILUREgrpc-message-typemenuSort.ByWeightMitchellNetravaliBSplineResamplingHammingResamplingallocate-instancearray-in-bounds-pchar-not-greaterpdelete-duplicatesenough-namestringfunction-keywordslist-all-packagesmake-random-statemethod-qualifiersnset-exclusive-orpackage-nicknamesread-char-no-hangremove-duplicatesshared-initializestring-capitalizestring-right-trimsubstitute-if-not&allow-other-keyscompiled-functionsimple-bit-vectorserious-conditionsimple-type-errorstorage-conditioncl-do-all-symbolsdefine-minor-modeeval-when-compilewith-syntax-tablewith-temp-messagewith-wrapper-hookbacktrace--localsbeginning-of-linebool-vector-unionbuffer-modified-pcapitalize-regioncar-less-than-carchar-category-setchar-table-parentclear-image-cachecoding-system-putcolor-supported-pcommand-remappingcontrolling-tty-pcopy-syntax-tablecurrent-idle-timecurrent-local-mapcurrent-time-zonedebug-timer-checkdump-glyph-matrixdump-tool-bar-rowexecute-kbd-macrofile-executable-pframe-char-heightframe-pixel-widthframe-root-windowframe-text-heightframe-total-linesget-buffer-createget-buffer-windowget-char-propertyget-load-suffixesget-text-propertyimagemagick-typesindirect-functionindirect-variableinotify-add-watchinterrupt-processline-end-positionline-pixel-heightlocal-key-bindingmake-category-setmap-charset-charsmemory-use-countsminibuffer-promptminibuffer-windowopen-dribble-fileprofiler-cpu-stopput-text-propertyre-search-forwardread-key-sequenceset-charset-plistset-keymap-parentset-process-plistset-window-bufferstring-as-unibytestring-to-unibytesuspicious-objecttext-property-anythis-command-keystranspose-regionsw32-shell-executewhere-is-internalwindow-body-widthwindow-left-childwindow-new-normalwindow-parameterswindow-pixel-leftwindow-text-widthx-display-screensx-load-color-filex-open-connectionx-window-propertyembedded/html.xmlapplication/x-kidapplication/x-phptext/x-typoscriptsite_block_commondeep_subdirectiveabstract-relationparenthesis-closeIO::Socket::AsyncMetamodel::MixinsMetamodel::NamingPod::Block::NamedPod::Block::TableTelemetry::Periodalternative-namesconfigure_destroyexplicitly-manageis-initial-threadnative-descriptornew-from-daycountoffset-in-minutessetup_mixin_cache(?<=\[\\?)<(?=\])pre-pod-formatter\n \n\|\n(?=^ *=)TypoScriptCSSDataembedded/abap.xmlembedded/abnf.xmlembedded/agda.xmlembedded/bash.xmlembedded/dart.xmlembedded
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: truncated profilemalformed profileerror logging: %s:cacheDir/modules:resourceDir/_genno output formatspageSort.ByWeightpageSort.ByLengthpageSort.ByParam.&AggregationRule{&ClusterRoleList{&RoleBindingList{FieldValueTooLongFieldValueTooManyUnsupported value^[-._a-zA-Z0-9]+$must be non-emptya qualified name jinzhu/gorm/..gogorm:after_creategorm:after_deletegorm:query_optiongorm:auto_preloadSAVE_ASSOCIATIONSgorm:after_updategorm:update_attrsSELECT DATABASE()POLYMORPHIC_VALUE ) AS count_tableinvalid range: %v%s: %v is not set%%!%c(dec.Dec=%s)net.protocol.nameno data to encodeUnknown data modegrpc_broker.protostreams exhaustedkeepalive timeoutTRANSIENT_FAILUREgrpc-message-typemenuSort.ByWeightMitchellNetravaliBSplineResamplingHammingResamplingallocate-instancearray-in-bounds-pchar-not-greaterpdelete-duplicatesenough-namestringfunction-keywordslist-all-packagesmake-random-statemethod-qualifiersnset-exclusive-orpackage-nicknamesread-char-no-hangremove-duplicatesshared-initializestring-capitalizestring-right-trimsubstitute-if-not&allow-other-keyscompiled-functionsimple-bit-vectorserious-conditionsimple-type-errorstorage-conditioncl-do-all-symbolsdefine-minor-modeeval-when-compilewith-syntax-tablewith-temp-messagewith-wrapper-hookbacktrace--localsbeginning-of-linebool-vector-unionbuffer-modified-pcapitalize-regioncar-less-than-carchar-category-setchar-table-parentclear-image-cachecoding-system-putcolor-supported-pcommand-remappingcontrolling-tty-pcopy-syntax-tablecurrent-idle-timecurrent-local-mapcurrent-time-zonedebug-timer-checkdump-glyph-matrixdump-tool-bar-rowexecute-kbd-macrofile-executable-pframe-char-heightframe-pixel-widthframe-root-windowframe-text-heightframe-total-linesget-buffer-createget-buffer-windowget-char-propertyget-load-suffixesget-text-propertyimagemagick-typesindirect-functionindirect-variableinotify-add-watchinterrupt-processline-end-positionline-pixel-heightlocal-key-bindingmake-category-setmap-charset-charsmemory-use-countsminibuffer-promptminibuffer-windowopen-dribble-fileprofiler-cpu-stopput-text-propertyre-search-forwardread-key-sequenceset-charset-plistset-keymap-parentset-process-plistset-window-bufferstring-as-unibytestring-to-unibytesuspicious-objecttext-property-anythis-command-keystranspose-regionsw32-shell-executewhere-is-internalwindow-body-widthwindow-left-childwindow-new-normalwindow-parameterswindow-pixel-leftwindow-text-widthx-display-screensx-load-color-filex-open-connectionx-window-propertyembedded/html.xmlapplication/x-kidapplication/x-phptext/x-typoscriptsite_block_commondeep_subdirectiveabstract-relationparenthesis-closeIO::Socket::AsyncMetamodel::MixinsMetamodel::NamingPod::Block::NamedPod::Block::TableTelemetry::Periodalternative-namesconfigure_destroyexplicitly-manageis-initial-threadnative-descriptornew-from-daycountoffset-in-minutessetup_mixin_cache(?<=\[\\?)<(?=\])pre-pod-formatter\n \n\|\n(?=^ *=)TypoScriptCSSDataembedded/abap.xmlembedded/abnf.xmlembedded/agda.xmlembedded/bash.xmlembedded/dart.xmlembedded
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: :cacheDir/:projectsecurity.http.urlspageSort.ByLastmodClusterRoleBindingFieldValueRequiredFieldValueNotFoundsupported values: invalid value typegorm:before_creategorm:insert_optiongorm:before_deletegorm:before_updategorm:update_optionint AUTO_INCREMENT(%v.%v NOT IN (?))gorm:table_options, PRIMARY KEY (%v)%s %v ON %v(%v) %v":file::line::col"dart-sass-embeddedGetConsoleOutputCPduplicate name: %qduplicate field %vGetPerformanceInfonet.sock.peer.addrnet.sock.peer.portnet.sock.host.addrnet.sock.host.portmode not supportedchunk out of ordercompression methoddimension overflow255.255.255.255/32bad resolver statethe stream is doneinvalid config: %v%d, %f, %d, %d, %vindex is finalizedindex %q not foundindex %q not validGaussianResamplingBlackmanResamplingBartlettResamplingadjustable-array-parray-displacementarray-element-typefile-string-lengthget-setf-expansionget-universal-timenstring-capitalizensubstitute-if-notpathname-directoryspecial-operator-ptranslate-pathnamevector-push-extenddestructuring-bindsimple-base-stringprint-not-readableundefined-functionmethod-combinationcl-load-time-valuecl-symbol-macroletaccessible-keymapsbuffer-base-bufferbuffer-enable-undobuffer-local-valuecall-interactivelycategory-docstringchar-table-subtypeclear-charset-mapscoding-system-baseconstrain-to-fieldcurrent-case-tablecurrent-global-mapcurrent-input-modedaemon-initializeddefault-file-modesevent-convert-listfont-shape-gstringformat-time-stringframe-border-widthframe-first-windowframe-fringe-widthframe-pixel-heightget-buffer-processglobal-key-bindinggnutls-available-pgnutls-peer-statusinit-image-libraryinsert-and-inheritinternal-char-fontmake-frame-visiblemake-sparse-keymapmake-symbolic-linkmsdos-mouse-enablemsdos-set-keyboardmultibyte-string-pnumber-or-marker-poverlay-propertiesparse-partial-sexpposix-string-matchprocess-attributesprocess-connectionprofiler-cpu-startre-search-backwardread-coding-systemrecent-auto-save-prun-hook-with-argsset-category-tableset-frame-positionset-mouse-positionset-process-bufferset-process-filterset-time-zone-ruleset-window-fringesset-window-hscrollset-window-marginsset-window-vscrollskip-chars-forwardspecial-variable-pterminal-parametertext-properties-atvisible-frame-listw32-battery-statusw32-long-file-namew32-unload-winsockw32notify-rm-watchwindow-body-heightwindow-dedicated-pwindow-left-columnwindow-line-heightwindow-normal-sizewindow-pixel-edgeswindow-pixel-widthwindow-scroll-barswindow-text-heightwindow-total-widthx-close-connectionx-display-mm-widthx-wm-set-size-hintxw-color-defined-pxw-display-color-pwith-electric-helpapplication/x-raku<\s[a-zA-Z0-9:.]+(import\|package)\b0[xX][0-9a-fA-F_]+"(\\\\\|\\"\|[^"])"preproc-expr-chainoptional-semicolonfunction-param-sep(?:case\|default)\barray-access-closeDistribution::HashDistribution::PathMetamodel::EnumHOWTelemetry::SamplerMONKEY-SEE-NO-EVALadd_private_methoddelete-by-compilersetup_finalization::\?\w+(?::[_UD])?opening_delimiters(:)(!?)(\w[\w'-]*)escape-hexadecimalregex-escape-classclosing_deli
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: :cacheDir/:projectsecurity.http.urlspageSort.ByLastmodClusterRoleBindingFieldValueRequiredFieldValueNotFoundsupported values: invalid value typegorm:before_creategorm:insert_optiongorm:before_deletegorm:before_updategorm:update_optionint AUTO_INCREMENT(%v.%v NOT IN (?))gorm:table_options, PRIMARY KEY (%v)%s %v ON %v(%v) %v":file::line::col"dart-sass-embeddedGetConsoleOutputCPduplicate name: %qduplicate field %vGetPerformanceInfonet.sock.peer.addrnet.sock.peer.portnet.sock.host.addrnet.sock.host.portmode not supportedchunk out of ordercompression methoddimension overflow255.255.255.255/32bad resolver statethe stream is doneinvalid config: %v%d, %f, %d, %d, %vindex is finalizedindex %q not foundindex %q not validGaussianResamplingBlackmanResamplingBartlettResamplingadjustable-array-parray-displacementarray-element-typefile-string-lengthget-setf-expansionget-universal-timenstring-capitalizensubstitute-if-notpathname-directoryspecial-operator-ptranslate-pathnamevector-push-extenddestructuring-bindsimple-base-stringprint-not-readableundefined-functionmethod-combinationcl-load-time-valuecl-symbol-macroletaccessible-keymapsbuffer-base-bufferbuffer-enable-undobuffer-local-valuecall-interactivelycategory-docstringchar-table-subtypeclear-charset-mapscoding-system-baseconstrain-to-fieldcurrent-case-tablecurrent-global-mapcurrent-input-modedaemon-initializeddefault-file-modesevent-convert-listfont-shape-gstringformat-time-stringframe-border-widthframe-first-windowframe-fringe-widthframe-pixel-heightget-buffer-processglobal-key-bindinggnutls-available-pgnutls-peer-statusinit-image-libraryinsert-and-inheritinternal-char-fontmake-frame-visiblemake-sparse-keymapmake-symbolic-linkmsdos-mouse-enablemsdos-set-keyboardmultibyte-string-pnumber-or-marker-poverlay-propertiesparse-partial-sexpposix-string-matchprocess-attributesprocess-connectionprofiler-cpu-startre-search-backwardread-coding-systemrecent-auto-save-prun-hook-with-argsset-category-tableset-frame-positionset-mouse-positionset-process-bufferset-process-filterset-time-zone-ruleset-window-fringesset-window-hscrollset-window-marginsset-window-vscrollskip-chars-forwardspecial-variable-pterminal-parametertext-properties-atvisible-frame-listw32-battery-statusw32-long-file-namew32-unload-winsockw32notify-rm-watchwindow-body-heightwindow-dedicated-pwindow-left-columnwindow-line-heightwindow-normal-sizewindow-pixel-edgeswindow-pixel-widthwindow-scroll-barswindow-text-heightwindow-total-widthx-close-connectionx-display-mm-widthx-wm-set-size-hintxw-color-defined-pxw-display-color-pwith-electric-helpapplication/x-raku<\s[a-zA-Z0-9:.]+(import\|package)\b0[xX][0-9a-fA-F_]+"(\\\\\|\\"\|[^"])"preproc-expr-chainoptional-semicolonfunction-param-sep(?:case\|default)\barray-access-closeDistribution::HashDistribution::PathMetamodel::EnumHOWTelemetry::SamplerMONKEY-SEE-NO-EVALadd_private_methoddelete-by-compilersetup_finalization::\?\w+(?::[_UD])?opening_delimiters(:)(!?)(\w[\w'-]*)escape-hexadecimalregex-escape-classclosing_deli
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: golang.org/x/cryptosecurity.exec.allowapplication/rss+xmlpageSort.ByLanguageWeightedPage(%d,%q)descriptor mismatchFieldValueForbiddenFieldValueDuplicateDROP INDEX %v ON %vINNER JOIN %v ON %v(%v.%v IS NOT NULL)CREATE UNIQUE INDEXRUNEWIDTH_EASTASIANmodulus must be odd<unknown slog.Kind>invalid nil pointerfield %v is invalidunexpected token %sinvalid %v value %vinvalid decimal: %sNtReadVirtualMemoryPdhCollectQueryDataGetExtendedTcpTableGetExtendedUdpTableuser_agent.originalWriteConsoleOutputWtoo much pixel data^\s(%s)\s(%s)\s$0:0:0:0:0:ffff::/96PrivacyAndIntegrityrpc.Register: type goldmark.extensionskeepspecialcommentscompiled-function-pfile-error-pathnameget-macro-characterinitialize-instancemake-synonym-streammake-two-way-streamread-delimited-listset-macro-characterset-pprint-dispatchsimple-bit-vector-pstream-element-typestream-error-streamstring-not-greaterpmultiple-value-calldefine-modify-macrodefine-symbol-macrodo-external-symbolsmultiple-value-bindmultiple-value-listmultiple-value-setqwith-simple-restartconcatenated-streamatomic-change-groupdefine-alternativesdefine-derived-modedefine-generic-modewith-category-tablewith-current-bufferwith-demoted-errorswith-selected-framesave-current-bufferSnarf-documentationadd-text-propertiesbool-vector-subsetpcall-last-kbd-macrocall-process-regioncharset-id-internalcheck-coding-systemcoding-system-plistcopy-category-tablecurrent-active-mapscurrent-indentationcurrent-time-stringdelete-all-overlaysdirectory-file-nameexit-recursive-editfile-name-directoryfind-charset-regionfind-charset-stringfont-otf-alternatesforce-window-updateget-unused-categorygnutls-error-fatalpgnutls-error-stringhandle-save-sessionhandle-switch-framehash-table-weaknessinteger-or-marker-pkill-local-variablemake-category-tablemake-local-variablemake-serial-processmake-terminal-framemap-keymap-internalminibuffer-contentsmodify-syntax-entrymove-point-visuallymove-to-window-linemsdos-mouse-disablenewline-cache-checknext-overlay-changeoptimize-char-tableplay-sound-internalprocess-exit-statusprocess-send-regionprocess-send-stringprofiler-memory-logread-char-exclusivescroll-other-windowself-insert-commandset-input-meta-modeset-text-propertiesshow-face-resourcesskip-chars-backwardskip-syntax-forwardstandard-case-tablestring-as-multibytestring-make-unibytestring-to-multibyteterminal-parameterstty-display-color-pw32-get-locale-infow32-short-file-namew32-toggle-lock-keyw32-window-exists-pw32notify-add-watchwindow-inside-edgeswindow-minibuffer-pwindow-next-bufferswindow-next-siblingwindow-pixel-heightwindow-prev-bufferswindow-prev-siblingwindow-resize-applywindow-total-heightx-display-mm-heightx-register-dnd-atomx-selection-owner-papplication/x-perl6(?:def\|for\|if)\s+.<\s*py:[a-zA-Z0-9]+preproc-parenthesis(?:untyped\|throw)\bMetamodel::ClassHOWMetamodel::StashingMetamodel::TrustingPod::Block::CommentRoutine::WrapHandleThreadPoolSchedulerfirst-date-in-monthset_export_callbackset_mixin_attribute(
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: [0m%s %-44s GlobalMemoryStatusExLookupPrivilegeNameWnet.protocol.versionrpc.grpc.status_codeSetConsoleWindowInfoBad chunk length: %d2002:c058:6301::/120recv window exceededi/o deadline reachedtransport is closinggRPC requires HTTP/2grpc-accept-encodingGracefulClose calledCatmullRomResampling\"(enable\w+)\":nullcopy-pprint-dispatchdirectory-namestringinteger-decode-floatinteractive-stream-pinvalid-method-errorno-applicable-methodpackage-used-by-listset-syntax-from-charmultiple-value-prog1define-setf-expanderpprint-logical-blocksave-selected-windowwith-coding-prioritywith-eval-after-loadwith-selected-windowabort-recursive-editbase64-decode-regionbase64-decode-stringbase64-encode-regionbase64-encode-stringbidi-resolved-levelsbuffer-modified-tickbury-buffer-internalbyte-code-function-pdbus-get-unique-namedecode-coding-regiondecode-coding-stringdefault-printer-namedefine-charset-aliasdefine-fringe-bitmapdetect-coding-regiondetect-coding-stringencode-coding-regionencode-coding-stringerror-message-stringfile-name-absolute-pfile-name-completionfile-selinux-contextfont-face-attributesfont-get-system-fontgnutls-get-initstageinsert-file-contentsinternal-lisp-face-pinternal-show-cursorinvocation-directorylocate-file-internalmake-frame-invisiblemake-indirect-buffermake-network-processmenu-bar-menu-at-x-ymerge-face-attributemouse-pixel-positionnext-property-changeposix-search-forwardprefix-numeric-valueprofiler-memory-stopread-from-minibufferread-no-blanks-inputredirect-frame-focusregister-ccl-programset-buffer-multibyteset-char-table-rangeset-charset-priorityset-process-sentinelset-window-new-pixelset-window-new-totalset-window-parameterskip-syntax-backwardstring-collate-lesspsubst-char-in-regionterminal-local-valuetool-bar-pixel-widthuser-real-login-namevisited-file-modtimew32-define-rgb-colorw32-register-hot-keyw32-send-sys-commandwindow-display-tablex-display-save-underx-selection-exists-p(?m)^@\s+IN\s+SOA\s+Caddyfile Directivescaddyfile-directivesapplication/x-genshiapplication/x-svelte(choose\|otherwise)\b\.\d+([Ee][-+]\d+)?i[\|^<>=!()\[\]{}.,;:](?:extern\|private)\b(?:continue\|break)\bCompUnit::RepositorySupplier::Preservinginstall_method_cacheprivate_method_namesprivate_method_tablepublish_method_cache(\w[\w'-])(\s)(=>)colon-pair-attributeembedded/arduino.xmlembedded/cheetah.xmlembedded/clojure.xmlembedded/crystal.xmlembedded/fortran.xmlembedded/gherkin.xmlembedded/gnuplot.xmlembedded/graphql.xmlembedded/haskell.xmlembedded/hexdump.xmlembedded/monkeyc.xmlembedded/natural.xmlembedded/systemd.xmlembedded/termcap.xmlembedded/v_shell.xmlembedded/verilog.xmlwebp: invalid formatinvalid map key typeFilterValues(%s, %v)(alias\|status)(es)?$cp1257_lithuanian_ciutf8mb4_icelandic_ciutf8mb4_slovenian_ciutf8mb4_esperanto_ciutf8mb4_hungarian_ciunknown auth plugin:mysql_clear_passwordallowNativePasswordsinvalid bool value: Reader '%s' is <nil>illegal %s length %dcloudsqlconn/latencybatch already closedstatement_cache_modeselect lo_create($1)select lo_unlink($1)select l
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: \_ (?i)^(\s*)#\+RESULTS:02 Jan 06 15:04 -0700tag:yaml.org,2002:seqtag:yaml.org,2002:maptag:yaml.org,2002:strinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: tag:yaml.org,2002:intwrite handler not setIPv4 address too longunexpected slice sizeFloat.SetFloat64(NaN)set bit is not 0 or 1flag %q begins with -%s flag redefined: %sAZURE_GO_SDK_LOG_FILEtag is not an integerunrecognized type: %v\[(?:[a-fA-F0-9:]+)\]invalid named captureunexpected stream endUNVERIFIED_TRANSITIONVERIFIED_INITIAL_HIGHGROUP_CHANGE_RESTRICTGROUP_CHANGE_ANNOUNCEGROUP_PARTICIPANT_ADDproto.LocationMessageproto.DocumentMessageproto.ProtocolMessageproto.FourRowTemplateproto.TemplateMessageproto.CatalogSnapshotproto.ProductSnapshotinvalid nesting depthlogical.PluginVersionSubConn shutting downfallback to scheme %q"FAILED_PRECONDITION"GetProcessHandleCount%d error(s) occurred:%s profile: total %d
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: handler cannot be nilsecurity.funcs.getenvinvalid slice type %Tpages.MergeByLanguagepageSort.ByExpiryDateinvalid nil TimestampClusterRoleSelectors:[]ClusterRoleBinding{FieldValueTypeInvalidjinzhu/gorm/.test.goINSERT INTO %v %v%v%vgorm:update_interfaceBIGINT AUTO_INCREMENTbigint AUTO_INCREMENTfield value not validASSOCIATIONFOREIGNKEYExpiredTokenExceptioninvalid scalar lengthExtensionRangeOptionsmismatching field: %vmissing "@type" fieldgoogle.protobuf.Valuemissing "value" fieldRtlNtStatusToDosErrorPdhAddEnglishCounterWpng: invalid format: not enough pixel data0:0:0:0:0:ffff:0:0/96grpc_controller.proto(%d events discarded)GRPC_GO_LOG_FORMATTERdue to a non-default array-row-major-indexcompile-file-pathnamedecode-universal-timeencode-universal-timeget-internal-run-timemake-broadcast-streampackage-error-packagereinitialize-instancesynonym-stream-symbolunbound-slot-instanceuser-homedir-pathnamedefine-compiler-macrowith-compilation-unitwith-output-to-stringwith-package-iteratorcl-destructuring-bindsave-window-excursionaccept-process-outputbackward-prefix-charsbuffer-has-markers-atccl-execute-on-stringchar-table-extra-slotcharset-priority-listcoding-system-aliasesdbus-message-internaldeclare-equiv-charsetdefine-prefix-commanddestroy-fringe-bitmapfile-attributes-lesspfont-variation-glyphsframe-selected-windowfringe-bitmaps-at-posfuncall-interactivelyinsert-before-markersinsert-startup-screeninternal--track-mouselist-system-processesmarker-insertion-typeminibuffer-prompt-endmodify-category-entrymsdos-long-file-namesposix-search-backwardprocess-coding-systemprofiler-memory-startset-buffer-auto-savedset-buffer-major-modeset-buffer-modified-pset-char-table-parentset-minibuffer-windowset-window-new-normalsplit-window-internalstandard-syntax-tablestore-kbd-macro-eventstring-collate-equalpstring-make-multibytetext-char-descriptiontext-property-not-allw32-default-color-mapx-display-color-cellsx-display-grayscale-px-display-pixel-widthx-send-client-messagex-uses-old-gtk-dialog(import)(\s+)([^\s]+)(<\?python)(.?)(\?>)\.\d+([eE][+\-]?\d+)?(?:class\|interface)\bstring-interpol-closetype-param-constraint(?:true\|false\|null)\bhidden-from-backtraceDistribution::LocallyMetamodel::PrimitivesMetamodel::Versioningfind_method_qualified(?<!(?<!\\)\\)<$\|$>regex-character-class(?<!(?<!\\)\\)(\\)(.)embedded/angular2.xmlembedded/gdscript.xmlembedded/iscdhcpd.xmlembedded/makefile.xmlembedded/minizinc.xmlembedded/modula-2.xmlembedded/newspeak.xmlembedded/openscad.xmlembedded/org_mode.xmlembedded/pl_pgsql.xmlembedded/python_2.xmlembedded/reasonml.xmlembedded/solidity.xmlembedded/tablegen.xmlembedded/terminfo.xml[\p{N}\p{L}]+[^\s-/]*(?:([^f])fe\|([lr])f)$utf8mb4_lithuanian_ciutf8mb4_vietnamese_cicaching_sha2_passwordmysql_native_passwordunknown field type %dno rows in result setselect loread($1, $2)release savepoint sp_NoCredentialProvidersAsia Pacific (Mumbai)Asia Pacific (Sydney)Canada West (Calgary)Middle East (Bahrain)US East (N. Virginia)agreement-marketplaceapi.elastic-infere
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: [0m[%s]%s %-44s invalid interlace methodplugin.StdioData_Channelinvalid protocol versionconnection write timeoutrpc: can't find service code: %s, debug data: %q^[a-zA-Z_][a-zA-Z0-9_]*$tabwriter: panic during empty deployment matcherSection list for "posts"array-has-fill-pointer-pbroadcast-stream-streamsecho-stream-input-streamensure-directories-existget-output-stream-stringlisp-implementation-typemake-concatenated-streammake-string-input-streammethod-combination-errortype-error-expected-typewith-hash-table-iteratorfloating-point-underflowcl-define-compiler-macrodefine-global-minor-modewith-tramp-file-propertyactive-minibuffer-windowbarf-if-buffer-read-onlybool-vector-exclusive-orbool-vector-intersectiondescribe-buffer-bindingsgenerate-new-buffer-nameinternal-complete-bufferkill-all-local-variableslast-nonminibuffer-framelibxml-parse-html-regionprevious-property-changeprocess-datagram-addressread-key-sequence-vectorserial-process-configureset-file-selinux-contextset-input-interrupt-modeset-mouse-pixel-positionset-terminal-local-valueset-visited-file-modtimeset-window-configurationset-window-display-tablethis-command-keys-vectorthis-single-command-keysw32-get-codepage-charsetw32-get-console-codepagew32-get-valid-locale-idsw32-set-console-codepagew32-set-process-prioritywaiting-for-user-input-pwindow-combination-limitwindow-scroll-bar-heightx-change-window-propertyx-delete-window-propertyx-get-selection-internalx-menu-bar-open-internalx-own-selection-internalembedded/common_lisp.xmlembedded/go_template.xmlapplication/x-httpd-php3application/x-httpd-php4application/x-httpd-php5text/prs.fallenstein.rst(?:extends\|implements)\bIO::Notification::ChangeMetamodel::RoleContainer([$@])((?<!(?<!\\)\\)\()regex-starting-operatorsembedded/applescript.xmlembedded/cap_n_proto.xmlembedded/cfstatement.xmlembedded/mathematica.xmlembedded/objective-c.xmlembedded/plutus_core.xmlembedded/standard_ml.xmlembedded/tradingview.xmlgif: too much image datagif: invalid pixel valueMESSAGE_ENCODING_UNKNOWNutf8_general_mysql500_ciallowFallbackToPlaintextstatement_cache_capacityAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.comrds.{region}.{dnsSuffix}sqs.{reg
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: [0m[%s]%s %-44s invalid interlace methodplugin.StdioData_Channelinvalid protocol versionconnection write timeoutrpc: can't find service code: %s, debug data: %q^[a-zA-Z_][a-zA-Z0-9_]*$tabwriter: panic during empty deployment matcherSection list for "posts"array-has-fill-pointer-pbroadcast-stream-streamsecho-stream-input-streamensure-directories-existget-output-stream-stringlisp-implementation-typemake-concatenated-streammake-string-input-streammethod-combination-errortype-error-expected-typewith-hash-table-iteratorfloating-point-underflowcl-define-compiler-macrodefine-global-minor-modewith-tramp-file-propertyactive-minibuffer-windowbarf-if-buffer-read-onlybool-vector-exclusive-orbool-vector-intersectiondescribe-buffer-bindingsgenerate-new-buffer-nameinternal-complete-bufferkill-all-local-variableslast-nonminibuffer-framelibxml-parse-html-regionprevious-property-changeprocess-datagram-addressread-key-sequence-vectorserial-process-configureset-file-selinux-contextset-input-interrupt-modeset-mouse-pixel-positionset-terminal-local-valueset-visited-file-modtimeset-window-configurationset-window-display-tablethis-command-keys-vectorthis-single-command-keysw32-get-codepage-charsetw32-get-console-codepagew32-get-valid-locale-idsw32-set-console-codepagew32-set-process-prioritywaiting-for-user-input-pwindow-combination-limitwindow-scroll-bar-heightx-change-window-propertyx-delete-window-propertyx-get-selection-internalx-menu-bar-open-internalx-own-selection-internalembedded/common_lisp.xmlembedded/go_template.xmlapplication/x-httpd-php3application/x-httpd-php4application/x-httpd-php5text/prs.fallenstein.rst(?:extends\|implements)\bIO::Notification::ChangeMetamodel::RoleContainer([$@])((?<!(?<!\\)\\)\()regex-starting-operatorsembedded/applescript.xmlembedded/cap_n_proto.xmlembedded/cfstatement.xmlembedded/mathematica.xmlembedded/objective-c.xmlembedded/plutus_core.xmlembedded/standard_ml.xmlembedded/tradingview.xmlgif: too much image datagif: invalid pixel valueMESSAGE_ENCODING_UNKNOWNutf8_general_mysql500_ciallowFallbackToPlaintextstatement_cache_capacityAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.comrds.{region}.{dnsSuffix}sqs.{reg
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: not a valid logrus Level: %qRtlDosPathNameToNtPathName_Uhttp.response_content_lengthBUG: got len %d, expected %d/grpc.health.v1.Health/Watchfailed to exit idle mode: %wfailed to convert %q to uintgolang.org/x/net/trace.Traceget-dispatch-macro-characterinvoke-restart-interactivelyset-dispatch-macro-charactertwo-way-stream-output-streamdefine-globalized-minor-modewith-tramp-progress-reporterbool-vector-count-populationcombine-after-change-executecurrent-window-configurationfind-operation-coding-systeminternal-face-x-get-resourcenext-read-file-uses-dialog-pregister-code-conversion-mapset-process-datagram-addressset-process-filter-multibyteset-window-combination-limitthis-single-command-raw-keyswindow-redisplay-end-trigger(?<!\$)(\$)([a-zA-Z_][\w.])([\t ]+)([^\r\n]+)(\r?\n\|\Z)Telemetry::Instrument::Usage(?<=^\|\b\|\s)(ms\|m\|rx)\b(\s)^( \.\.)(\s)(\[.+\])(.*?)$embedded/morrowindscript.xmlembedded/protocol_buffer.xmlgif: reading color table: %s%#v has map key with NaNs
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: Isikhathi sase-Chile esijwayelekileIsikhathi sasemini sase-New ZealandIsikhathi sehlobo sase-Turkmenistanbad successive approximation valuesshould never reach here Include(%q)exif: seek to sub-IFD %s failed: %vunable to find oid for type name %vcannot convert %v to Int4multirangecannot convert %v to Int8multirangecannot convert %v to TimestampArray2006-01-02 15:04:05.999999999Z07:00cannot convert %v to TstzrangeArrayfield match condition not found in unexpected ending in qualified ruleClient request count by HTTP methodServer request count by HTTP methodprecis: disallowed rune encounteredcrypto/blake2b: cannot marshal MACscrypto/cipher: input not full blockssyntax error scanning complex numberaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)bytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative position%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not common444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: Isikhathi sase-Chile esijwayelekileIsikhathi sasemini sase-New ZealandIsikhathi sehlobo sase-Turkmenistanbad successive approximation valuesshould never reach here Include(%q)exif: seek to sub-IFD %s failed: %vunable to find oid for type name %vcannot convert %v to Int4multirangecannot convert %v to Int8multirangecannot convert %v to TimestampArray2006-01-02 15:04:05.999999999Z07:00cannot convert %v to TstzrangeArrayfield match condition not found in unexpected ending in qualified ruleClient request count by HTTP methodServer request count by HTTP methodprecis: disallowed rune encounteredcrypto/blake2b: cannot marshal MACscrypto/cipher: input not full blockssyntax error scanning complex numberaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)bytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative position%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not common444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: tls: internal error: sending non-handshake message to QUIC transportpadding bytes must all be zeros unless AllowIllegalWrites is enabledhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qAn update strategy to replace existing DaemonSet pods with new pods.The last time the condition transitioned from one status to another.The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.PersistentVolumeStatus is the current status of a persistent volume.PodAttachOptions is the query options to a Pod's remote attach call.optional field specify whether the Secret or its key must be definedPodCondition contains details for the current condition of this pod.ScaleIOPersistentVolumeSource represents a persistent ScaleIO volumeproto: ISCSIPersistentVolumeSource: wiretype end group for non-groupproto: PersistentVolumeClaimCondition: illegal tag %d (wire type %d)proto: PersistentVolumeClaimStatus: wiretype end group for non-groupproto: ReplicationControllerCondition: illegal tag %d (wire type %d)proto: ReplicationControllerStatus: wiretype end group for non-groupproto: VsphereVirtualDiskVolumeSource: illegal tag %d (wire type %d)(brief) machine readable reason for the condition's last transition.expected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vembedded IPv4 address must replace the final 2 fields of the addressbig: invalid 2nd argument to Int.Jacobi: need odd integer but got %s2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061crypto/hmac: hash generation function does not produce unique valuescustom type: type: %v, does not implement the proto.custom interfacedecoding int array or slice: length exceeds input size (%d elements)invalid retry throttling config: tokenRatio (%v) may not be negativelabels in collected metric %s %s are inconsistent with descriptor %sKind %q used in outputs configuration is deprecated, use %q instead.extension %v does not implement protoreflect.ExtensionTypeDescriptorrpc.Register: method %q has %d output parameters; needs exactly one
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.Specifies the set of values. Each returned container exit code (might be multiple in case of multiple containers) is checked against this set of values with respect to the operator. The list of values must be ordered and must not contain duplicates. Value '0' cannot be used for the In operator. At least one element is required. At most 255 elements are allowed.Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: nullThe maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deplo
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.Specifies the set of values. Each returned container exit code (might be multiple in case of multiple containers) is checked against this set of values with respect to the operator. The list of values must be ordered and must not contain duplicates. Value '0' cannot be used for the In operator. At least one element is required. At most 255 elements are allowed.Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: nullThe maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deplo
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="(hardware\|packet\|leased-address\|host-decl-name\|lease-time\|max-lease-time\|client-state\|config-option\|option\|filename\|next-server\|allow\|deny\|match\|ignore)\b">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="(?i)\b(?<!-)(?<!#)(ENTIRE\|BY\|NAME\|ARRAY\|SPECIFIED\|VIEW\|MODULE\|FUNCTION\|RETURNS\|AND\|NUMERIC\|OPTIONAL\|END-PARSE\|TRUE\|END-RESULT\|LEAVING\|NOT\|CONDITION\|NUMBER\|NO\|EXP\|FULL\|REPLACE\|INSERT\|DOEND\|LOG\|ABS\|ANY\|REPEAT\|SET\|DLOGOFF\|DOWNLOAD\|BREAK\|VALUES\|DIVIDE\|COMPRESS\|UPDATE\|SORTKEY\|OR\|END-FIND\|END-ENDPAGE\|REDUCE\|IGNORE\|MIN\|WASTE\|END-DEFINE\|SUBSTR\|END\|FIND\|ADD\|INVESTIGATE\|DNATIVE\|CONST\|COS\|ENDHOC\|SGN\|COPY\|REDEFINE\|DEFINE\|MULTIPLY\|ASSIGN\|LE\|VALUE\|COMPOSE\|FALSE\|POS\|CALL\|TAN\|ERROR\|CLOSE\|PARSE\|LT\|WITH_CTE\|END-SORT\|EJECT\|RESET\|SHOW\|LOCAL\|PERFORM\|TERMINATE\|VAL\|BACKOUT\|END-LOOP\|REJECT\|SUM\|CREATE\|SORT\|RETURN\|AT\|SIN\|SETTIME\|INT\|NE\|GLOBAL\|END-SELECT\|ELSE\|DELETE\|TOP\|INCLUDE\|END-ENDDATA\|LOOP\|OLD\|SUSPEND\|SKIP\|SQRT\|RULEVAR\|NMIN\|AVER\|PROCESS\|SELECT\|MAP\|USING\|END-HISTOGRAM\|MAX\|NEWPAGE\|ON\|OFF\|KEY\|NAMED\|CONTROL\|PF1\|PF2\|PF3\|PF4\|PF5\|PF6\|PF7\|PF8\|PF9\|INITIAL\|WRITE\|STORE\|FETCH\|ATN\|RET\|END-WORK\|RESTORE\|GET\|LIMIT\|END-ERROR\|SEND\|OPEN\|ESCAPE\|COMPUTE\|COUNT\|TRANSFER\|RELEASE\|DO\|DYNAMIC\|ROLLBACK\|END-READ\|DISPLAY\|UPLOAD\|END-DATA\|NULL-HANDLE\|NCOUNT\|RESIZE\|END-PROCESS\|REQUEST\|READ\|SEPARATE\|EQ\|INPUT\|DATA\|END-START\|STACK\|REINPUT\|INCDIC\|INCCONT\|END-IF\|WHEN\|END-BEFORE\|WHILE\|END-ENDFILE\|END-TOPPAGE\|INCDIR\|PARAMETER\|OBTAIN\|CALLDBPROC\|END-BROWSE\|MOVE\|SUBTRACT\|DLOGON\|EXAMINE\|SUBSTRING\|BEFORE\|STOP\|RUN\|END-BREAK\|EXPORT\|END-SUBROUTINE\|FOR\|GE\|PRINT\|BROWSE\|IMPORT\|EXPAND\|ALL\|PASSW\|FORMAT\|GT\|END-NOREC\|END-DECIDE\|END-FOR\|CALLNAT\|END-ALL\|OPTIONS\|RETRY\|NONE\|INCMAC\|END-FILE\|DECIDE\|INIT\|HISTOGRAM\|NAVER\|START\|ACCEPT\|COMMIT\|TOTAL\|IF\|FRAC\|END-REPEAT\|UNTIL\|TO\|INTO\|WITH\|DELIMITER\|FIRST\|OF\|INTO\|SUBROUTINE\|GIVING\|POSITION)\b(?!-)">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="(^\|(?<=[^\w\-]))(WORKING-STORAGE\|IDENTIFICATION\|LOCAL-STORAGE\|CONFIGURATION\|END-EVALUATE\|FILE-CONTROL\|END-UNSTRING\|END-SUBTRACT\|END-MULTIPLY\|INPUT-OUTPUT\|END-PERFORM\|END-DISPLAY\|END-OF-PAGE\|END-COMPUTE\|ENVIRONMENT\|I-O-CONTROL\|END-REWRITE\|END-RETURN\|INITIALIZE\|END-ACCEPT\|END-DIVIDE\|PROGRAM-ID\|END-STRING\|END-DELETE\|END-SEARCH\|END-WRITE\|PROCEDURE\|END-START\|TERMINATE\|END-READ\|MULTIPLY\|CONTINUE\|SUPPRESS\|SUBTRACT\|INITIATE\|UNSTRING\|DIVISION\|VALIDATE\|END-CALL\|ALLOCATE\|GENERATE\|EVALUATE\|PERFORM\|FOREVER\|LINKAGE\|END-ADD\|REWRITE\|INSPECT\|SECTION\|RELEASE\|COMPUTE\|DISPLAY\|END-IF\|GOBACK\|INVOKE\|CANCEL\|UNLOCK\|SCREEN\|SEARCH\|DELETE\|STRING\|DIVIDE\|ACCEPT\|RETURN\|RESUME\|START\|RAISE\|MERGE\|CLOSE\|WRITE\|FILE\|STOP\|FREE\|READ\|ELSE\|THEN\|SORT\|EXIT\|OPEN\|CALL\|MOVE\|DATA\|END\|SET\|ADD\|USE\|GO\|FD\|SD\|IF)\s*($\|(?=[^\w\-]))">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="(^\|(?<=[^\w\-]))(WORKING-STORAGE\|IDENTIFICATION\|LOCAL-STORAGE\|CONFIGURATION\|END-EVALUATE\|FILE-CONTROL\|END-UNSTRING\|END-SUBTRACT\|END-MULTIPLY\|INPUT-OUTPUT\|END-PERFORM\|END-DISPLAY\|END-OF-PAGE\|END-COMPUTE\|ENVIRONMENT\|I-O-CONTROL\|END-REWRITE\|END-RETURN\|INITIALIZE\|END-ACCEPT\|END-DIVIDE\|PROGRAM-ID\|END-STRING\|END-DELETE\|END-SEARCH\|END-WRITE\|PROCEDURE\|END-START\|TERMINATE\|END-READ\|MULTIPLY\|CONTINUE\|SUPPRESS\|SUBTRACT\|INITIATE\|UNSTRING\|DIVISION\|VALIDATE\|END-CALL\|ALLOCATE\|GENERATE\|EVALUATE\|PERFORM\|FOREVER\|LINKAGE\|END-ADD\|REWRITE\|INSPECT\|SECTION\|RELEASE\|COMPUTE\|DISPLAY\|END-IF\|GOBACK\|INVOKE\|CANCEL\|UNLOCK\|SCREEN\|SEARCH\|DELETE\|STRING\|DIVIDE\|ACCEPT\|RETURN\|RESUME\|START\|RAISE\|MERGE\|CLOSE\|WRITE\|FILE\|STOP\|FREE\|READ\|ELSE\|THEN\|SORT\|EXIT\|OPEN\|CALL\|MOVE\|DATA\|END\|SET\|ADD\|USE\|GO\|FD\|SD\|IF)\s*($\|(?=[^\w\-]))">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="\b(use-glyph-orientation\|decimal-leading-zero\|ruby-base-container\|ruby-text-container\|table-column-group\|table-header-group\|geometricPrecision\|table-footer-group\|optimizeLegibility\|alternate-reverse\|repeat no-repeat\|table-row-group\|all-petite-caps\|ultra-condensed\|extra-condensed\|box-decoration\|sideways-right\|extra-expanded\|no-close-quote\|all-small-caps\|semi-condensed\|ultra-expanded\|column-reverse\|space-between\|semi-expanded\|table-caption\|no-open-quote\|sideways-left\|double-circle\|vertical-text\|optimizeSpeed\|weight style\|currentColor\|titling-caps\|match-parent\|table-column\|line-through\|inline-block\|inline-table\|wrap-reverse\|avoid-column\|manipulation\|space-around\|context-menu\|lower-alpha\|row-reverse\|not-allowed\|content-box\|ease-in-out\|close-quote\|lower-latin\|crisp-edges\|lower-roman\|lower-greek\|upper-alpha\|upper-latin\|upper-roman\|nwse-resize\|nesw-resize\|preserve-3d\|inline-flex\|petite-caps\|color-dodge\|descendants\|padding-box\|capitalize\|small-caps\|difference\|inter-word\|step-start\|all-scroll\|stroke-box\|soft-light\|margin-box\|open-quote\|table-cell\|row-resize\|border-box\|hard-light\|break-word\|color-burn\|luminosity\|full-width\|col-resize\|from-image\|avoid-page\|scale-down\|saturation\|sans-serif\|flex-start\|distribute\|horizontal\|alternate\|ruby-text\|force-end\|list-item\|se-resize\|mandatory\|exclusion\|ns-resize\|underline\|ruby-base\|ew-resize\|condensed\|container\|uppercase\|no-repeat\|nw-resize\|table-row\|backwards\|crosshair\|proximity\|sw-resize\|lowercase\|allow-end\|each-line\|monospace\|pixelated\|ne-resize\|luminance\|pan-right\|ellipsis\|pan-down\|pan-left\|overline\|multiply\|progress\|relative\|infinite\|repeat-x\|repeat-y\|georgian\|forwards\|flex-end\|s-resize\|fill-box\|expanded\|separate\|ease-out\|sideways\|e-resize\|step-end\|n-resize\|collapse\|triangle\|baseline\|view-box\|w-resize\|armenian\|absolute\|xx-large\|xx-small\|vertical\|zoom-out\|contain\|ease-in\|running\|no-drop\|zoom-in\|unicase\|hanging\|smaller\|x-large\|overlay\|compact\|lighter\|lighten\|objects\|oblique\|x-small\|reverse\|stretch\|upright\|cursive\|inherit\|initial\|outside\|pointer\|decimal\|default\|justify\|visible\|balance\|isolate\|fantasy\|paused\|static\|pan-up\|invert\|inside\|italic\|weight\|inline\|hidden\|outset\|larger\|repeat\|always\|spaces\|sticky\|circle\|digits\|linear\|column\|smooth\|nowrap\|bolder\|normal\|sesame\|dashed\|groove\|darken\|bottom\|run-in\|manual\|dotted\|double\|medium\|filled\|screen\|scroll\|center\|strict\|square\|edges\|serif\|start\|thick\|first\|clone\|fixed\|slice\|small\|under\|unset\|block\|color\|round\|solid\|space\|right\|ridge\|blink\|below\|pan-y\|avoid\|large\|cover\|inset\|alpha\|local\|alias\|style\|loose\|table\|mixed\|pan-x\|page\|ruby\|disc\|none\|snap\|ease\|text\|show\|thin\|clip\|left\|open\|wrap\|fill\|cell\|flat\|flex\|flip\|last\|both\|help\|bold\|over\|hide\|wait\|icon\|move\|auto\|copy\|wavy\|top\|ltr\|row\|rtl\|end\|hue\|dot\|off\|all\|ink\|to\|on)\b">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <push state="function-start"/>
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <state name="function-start">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="(use-glyph-orientation\|decimal-leading-zero\|ruby-base-container\|ruby-text-container\|table-column-group\|table-header-group\|geometricPrecision\|table-footer-group\|optimizeLegibility\|alternate-reverse\|repeat no-repeat\|table-row-group\|all-petite-caps\|ultra-condensed\|extra-condensed\|box-decoration\|sideways-right\|extra-expanded\|no-close-quote\|all-small-caps\|semi-condensed\|ultra-expanded\|column-reverse\|space-between\|semi-expanded\|table-caption\|no-open-quote\|sideways-left\|double-circle\|vertical-text\|optimizeSpeed\|weight style\|currentColor\|titling-caps\|match-parent\|table-column\|line-through\|inline-block\|inline-table\|wrap-reverse\|avoid-column\|manipulation\|space-around\|context-menu\|lower-alpha\|row-reverse\|not-allowed\|content-box\|ease-in-out\|close-quote\|lower-latin\|crisp-edges\|lower-roman\|lower-greek\|upper-alpha\|upper-latin\|upper-roman\|nwse-resize\|nesw-resize\|preserve-3d\|inline-flex\|petite-caps\|color-dodge\|descendants\|padding-box\|capitalize\|small-caps\|difference\|inter-word\|step-start\|all-scroll\|stroke-box\|soft-light\|margin-box\|open-quote\|table-cell\|row-resize\|border-box\|hard-light\|break-word\|color-burn\|luminosity\|full-width\|col-resize\|from-image\|avoid-page\|scale-down\|saturation\|sans-serif\|flex-start\|distribute\|horizontal\|alternate\|ruby-text\|force-end\|list-item\|se-resize\|mandatory\|exclusion\|ns-resize\|underline\|ruby-base\|ew-resize\|condensed\|container\|uppercase\|no-repeat\|nw-resize\|table-row\|backwards\|crosshair\|proximity\|sw-resize\|lowercase\|allow-end\|each-line\|monospace\|pixelated\|ne-resize\|luminance\|pan-right\|ellipsis\|pan-down\|pan-left\|overline\|multiply\|progress\|relative\|infinite\|repeat-x\|repeat-y\|georgian\|forwards\|flex-end\|s-resize\|fill-box\|expanded\|separate\|ease-out\|sideways\|e-resize\|step-end\|n-resize\|collapse\|triangle\|baseline\|view-box\|w-resize\|armenian\|absolute\|xx-large\|xx-small\|vertical\|zoom-out\|contain\|ease-in\|running\|no-drop\|zoom-in\|unicase\|hanging\|smaller\|x-large\|overlay\|compact\|lighter\|lighten\|objects\|oblique\|x-small\|reverse\|stretch\|upright\|cursive\|inherit\|initial\|outside\|pointer\|decimal\|default\|justify\|visible\|balance\|isolate\|fantasy\|paused\|static\|pan-up\|invert\|inside\|italic\|weight\|inline\|hidden\|outset\|larger\|repeat\|always\|spaces\|sticky\|circle\|digits\|linear\|column\|smooth\|nowrap\|bolder\|normal\|sesame\|dashed\|groove\|darken\|bottom\|run-in\|manual\|dotted\|double\|medium\|filled\|screen\|scroll\|center\|strict\|square\|edges\|serif\|start\|thick\|first\|clone\|fixed\|slice\|small\|under\|unset\|block\|color\|round\|solid\|space\|right\|ridge\|blink\|below\|pan-y\|avoid\|large\|cover\|inset\|alpha\|local\|alias\|style\|loose\|table\|mixed\|pan-x\|page\|ruby\|disc\|none\|snap\|ease\|text\|show\|thin\|clip\|left\|open\|wrap\|fill\|cell\|flat\|flex\|flip\|last\|both\|help\|bold\|over\|hide\|wait\|icon\|move\|auto\|copy\|wavy\|top\|ltr\|row\|rtl\|end\|hue\|dot\|off\|all\|ink\|to\|on)\b">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <push state="value-start"/>
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <state name="value-start">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: <rule pattern="\b(no-discretionary-ligatures\|no-historical-ligatures\|discretionary-ligatures\|simp-chinese-informal\|trad-chinese-informal\|korean-hanja-informal\|historical-ligatures\|korean-hangul-formal\|decimal-leading-zero\|korean-hanja-formal\|ruby-text-container\|ruby-base-container\|no-common-ligatures\|trad-chinese-formal\|simp-chinese-formal\|cjk-earthly-branch\|geometricPrecision\|optimizeLegibility\|table-header-group\|table-footer-group\|diagonal-fractions\|table-column-group\|proportional-width\|disclosure-closed\|stacked-fractions\|japanese-informal\|alternate-reverse\|cjk-heavenly-stem\|proportional-nums\|slider-horizontal\|ideograph-numeric\|common-ligatures\|isolate-override\|ethiopic-numeric\|ideograph-alpha\|table-row-group\|all-petite-caps\|cjk-ideographic\|inter-character\|ultra-condensed\|scroll-position\|extra-condensed\|japanese-formal\|disclosure-open\|menulist-button\|upper-armenian\|lower-armenian\|extra-expanded\|semi-condensed\|space-adjacent\|all-small-caps\|discard-before\|katakana-iroha\|full-size-kana\|no-close-quote\|ultra-expanded\|hiragana-iroha\|target-counter\|column-reverse\|spelling-error\|grammar-error\|optimizeSpeed\|discard-after\|no-contextual\|trim-adjacent\|table-caption\|square-button\|semi-expanded\|border-bottom\|ui-sans-serif\|double-circle\|vertical-text\|outside-shape\|horizontal-tb\|no-open-quote\|space-between\|small-caption\|oldstyle-nums\|bidi-override\|progress-bar\|match-parent\|line-through\|space-around\|inline-table\|inline-block\|high-quality\|space-evenly\|table-column\|currentColor\|arabic-indic\|ui-monospace\|rotate-right\|inline-start\|avoid-region\|avoid-column\|match-source\|manipulation\|tabular-nums\|context-menu\|slashed-zero\|cubic-bezier\|titling-caps\|wrap-reverse\|color-dodge\|sideways-lr\|no-compress\|space-first\|searchfield\|lining-nums\|fit-content\|ease-in-out\|punctuation\|min-content\|petite-caps\|crisp-edges\|push-button\|translate3d\|row-reverse\|perspective\|max-content\|nesw-resize\|not-allowed\|preserve-3d\|space-start\|drop-shadow\|padding-box\|text-bottom\|rotate-left\|block-start\|inline-grid\|inline-flex\|upper-latin\|upper-alpha\|lower-latin\|auto
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: flow\|lower-alpha\|message-box\|lower-greek\|upper-roman\|lower-roman\|vertical-rl\|traditional\|justify-all\|close-quote\|content-box\|vertical-lr\|cjk-decimal\|transparent\|sideways-rl\|target-text\|balance-all\|ideographic\|nwse-resize\|saturation\|flex-start\|open-quote\|from-image\|avoid-flex\|avoid-line\|stroke-box\|ui-rounded\|margin-box\|self-start\|inline-end\|devanagari\|avoid-page\|status-bar\|all-scroll\|col-resize\|row-resize\|translateZ\|translateY\|translateX\|hue-rotate\|small-caps\|brightness\|step-start\|capitalize\|trim-start\|trim-inner\|sans-serif\|scale-down\|contextual\|break-word\|horizontal\|inter-word\|color-burn\|cross-fade\|hard-light\|soft-light\|border-box\|table-cell\|luminosity\|full-width\|difference\|simplified\|alphabetic\|mandatory\|exclusion\|from-font\|table-row\|flow-root\|underline\|image-set\|proximity\|ruby-base\|ruby-text\|list-item\|monospace\|intersect\|ns-resize\|textfield\|ew-resize\|uppercase\|sw-resize\|se-resize\|nw-resize\|lowercase\|grayscale\|ne-resize\|pan-right\|translate\|backwards\|available\|luminance\|condensed\|alternate\|mongolian\|plaintext\|malayalam\|cambodian\|transform\|block-end\|force-end\|break-all\|crosshair\|allow-end\|no-repeat\|pixelated\|system-ui\|xxx-large\|space-end\|w-resize\|georgian\|flex-end\|baseline\|gujarati\|fangsong\|ui-serif\|fill-box\|keep-all\|view-box\|xx-small\|gurmukhi\|pre-line\|pre-wrap\|contents\|xx-large\|text-top\|hiragana\|self-end\|katakana\|collapse\|separate\|anywhere\|saturate\|expanded\|subtract\|progress\|repeat-x\|rotate3d\|repeat-y\|contrast\|relative\|forwards\|infinite\|absolute\|matrix3d\|vertical\|overline\|pan-down\|pan-left\|step-end\|triangle\|ease-out\|textarea\|sideways\|checkbox\|menulist\|ellipsis\|trim-end\|grabbing\|multiply\|zoom-out\|n-resize\|s-resize\|armenian\|ordinal\|zoom-in\|visible\|overlay\|no-drop\|listbox\|unicode\|lighten\|ease-in\|lighter\|element\|running\|justify\|display\|fantasy\|unicase\|subgrid\|reverse\|upright\|stretch\|rotateX\|current\|exclude\|rotateY\|pointer\|contain\|opacity\|default\|no-clip\|in-flow\|hanging\|isolate\|discard\|tibetan\|persian\|myanmar\|rotateZ\|content\|inherit\|outside\|initial\|kannada\|smaller\|decimal\|symbols\|x-large\|balance\|x-small\|economy\|caption\|minimum\|maximum\|polygon\|ellipse\|cursive\|bengali\|masonry\|static\|region\|column\|run-in\|inline\|middle\|circle\|larger\|button\|square\|pretty\|always\|hidden\|rotate\|inside\|scroll\|screen\|matrix\|create\|unsafe\|center\|paused\|nowrap\|medium\|darken\|sesame\|strict\|outset\|pan-up\|bolder\|telugu\|scaleX\|linear\|scaleY\|groove\|double\|scaleZ\|dashed\|minmax\|legacy\|hebrew\|bottom\|dotted\|leader\|normal\|stable\|weight\|smooth\|filled\|italic\|revert\|manual\|repeat\|sticky\|invert\|table\|round\|space\|alias\|jis78\|dense\|sepia\|emoji\|auto;\|clear\|skewX\|cover\|right\|skewY\|style\|light\|unset\|force\|alpha\|large\|focus\|solid\|ridge\|white\|embed\|tamil\|blink\|first\|scale\|radio\|color\|jis83\|under\|block\|jis90\|inset\|start\|pan-y\|oriya\|super\|loose\|mixed\|thick\|slice\|pan-x\|khmer\|width\|local\|fixed\|clone\|avoid\|serif\|exact\|recto\|meter\|small\|verso\|jis04\|image\|flow\|flex\|grid\|ruby\|wrap\|ease\|safe\|grab\|move\|icon\|bold\|last\|open\|over\|wavy\|show\|hide\|both\|url;\|none\|blur\|text\|line\|menu\|copy\|dark\|left\|math\|cell\|clip\|fill\|
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: /c\|real-part\|numerator\|hash-set\\|hash-set!\|boolean=\?\|read-line\|hash-ref!\|read-char\|read-cdot\|hash-keys\|hash-eqv\?\|partition\|path-only\|between/c\|peek-byte\|peek-char\|read-byte\|rational\?\|hash-copy\|positive\?\|weak-box\?\|print-box\|alarm-evt\|guard-evt\|promise/c\|prop:dict\|conjugate\|sequence\?\|in-range\|group-by\|set-eqv\?\|set-box!\|generic\?\|dict-map\|dict-ref\|channel\?\|hash-eq\?\|set-add!\|dict-set\|one-of/c\|box-cas!\|for-each\|make-exn\|set-copy\|hash-map\|hash-ref\|hash-set\|syntax-e\|integer\?\|set-rest\|inexact\?\|vectorof\|truncate\|stream/c\|string<\?\|string=\?\|symbol=\?\|string>\?\|symbol<\?\|vector/c\|prop:evt\|plumber\?\|pregexp\?\|identity\|in-value\|list-set\|in-bytes\|in-cycle\|weak-set\|in-slice\|date-day\|subbytes\|in-lines\|list-ref\|boolean\?\|udp-send\|promise\?\|process\\|keyword\?\|equal<%>\|object=\?\|compose1\|exn:fail\|in-mlist\|split-at\|syntax/c\|quotient\|wrap-evt\|complex\?\|char<=\?\|system\\|println\|syntax\?\|in-port\|compose\|in-list\|conjoin\|regexp\?\|bytes>\?\|process\|compile\|\list/c\|object%\|thread\?\|eof-evt\|load/cd\|logger\?\|struct\?\|pregexp\|bytes=\?\|in-hash\|in-dict\|srcloc\?\|list\of\|append\\|shuffle\|writeln\|call/cc\|hasheqv\|subset\?\|seventh\|char>=\?\|call/ec\|number\?\|bytes<\?\|string\?\|object\?\|symbol\?\|symbols\|version\|display\|disjoin\|stream\?\|vector\?\|fixnum\?\|arity=\?\|flatten\|flonum\?\|set-map\|reverse\|newline\|ceiling\|fprintf\|is-a\?/c\|future\?\|real-in\|char-in\|remove\\|set-eq\?\|set-add\|base->\?\|eprintf\|andmap\|modulo\|blame\?\|cdaadr\|cdaaar\|seteqv\|length\|eighth\|vector\|cadddr\|caddar\|date\\?\|cdaddr\|cadadr\|empty\?\|curryr\|cadaar\|caaddr\|in-set\|equal\?\|mpair\?\|list/c\|cddaar\|cddadr\|member\|argmax\|cons/c\|argmin\|listof\|caadar\|printf\|caaadr\|caaaar\|bytes\?\|system\|putenv\|exact\?\|expand\|class\?\|random\|srcloc\|cdddar\|false\?\|filter\|char>\?\|hasheq\|none/c\|second\|cddddr\|hash/c\|string\|place\?\|char=\?\|values\|char<\?\|negate\|append\|regexp\|cdadar\|fourth\|future\|banner\|gensym\|getenv\|remove\|thread\|format\|path<\?\|tenth\|third\|remf\\|path\?\|char\?\|ninth\|remq\\|pair\?\|ormap\|mcons\|assoc\|remv\\|round\|cdddr\|takef\|range\|cons\?\|cddar\|const\|list\?\|apply\|port\?\|count\|curry\|touch\|cdadr\|date\\|list\\|date\?\|findf\|is-a\?\|box/c\|set/c\|set=\?\|dict\?\|void\?\|null\?\|seteq\|dropf\|not/c\|caddr\|empty\|print\|cadar\|raise\|any/c\|byte\?\|caadr\|sixth\|angle\|and/c\|error\|caaar\|n->th\|sleep\|even\?\|evt/c\|write\|bytes\|unbox\|fifth\|unit\?\|first\|floor\|foldl\|foldr\|force\|real\?\|zero\?\|hash\?\|cdaar\|sinh\|nan\?\|udp\?\|caar\|cadr\|null\|hash\|rest\|box\?\|<=/c\|memv\|expt\|true\|memq\|cdar\|memf\|cddr\|odd\?\|exn\?\|or/c\|mcdr\|mcar\|if/c\|eqv\?\|exit\|remf\|remq\|atan\|assv\|assq\|remv\|assf\|asin\|pi\.f\|tanh\|>=/c\|take\|read\|acos\|load\|cons\|sort\|add1\|cosh\|date\|list\|evt\?\|eval\|last\|sync\|void\|set\?\|drop\|sub1\|sqrt\|sin\|sgn\|eof\|~\.a\|eq\?\|</c\|lcm\|set\|cos\|~\.s\|log\|abs\|tan\|~\.v\|gcd\|map\|xor\|=/c\|max\|cdr\|exp\|sqr\|box\|min\|car\|>/c\|not\|exn\|~v\|~s\|<=\|~r\|~e\|~a\|>=\|pi\|/\|\\|>\|\+\|=\|-\|<)(?=[()[\]{}",\'`;\s])">
Source: LisectAVT_2403002A_214.exe	String found in binary or memory: k8s.io/client-go/pkg/apis/clientauthentication/install.Install

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe "C:\Users\user\Desktop\LisectAVT_2403002A_214.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior

Source: LisectAVT_2403002A_214.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_214.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LisectAVT_2403002A_214.exe

Static file information: File size 52278277 > 1048576

Source: LisectAVT_2403002A_214.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1585800
Source: LisectAVT_2403002A_214.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x103000
Source: LisectAVT_2403002A_214.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a4e600

Source: LisectAVT_2403002A_214.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_214.exe, 00000000.00000002.1611505464.000000C001180000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_214.exe, 00000000.00000003.1600663939.00000217FBA10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_214.exe, 00000000.00000002.1611505464.000000C001180000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_214.exe, 00000000.00000003.1600663939.00000217FBA10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_0017B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,

5_2_0017B6E2

Source: LisectAVT_2403002A_214.exe

Static PE information: section name: .xdata

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0019B2E1 push 00000034h; retf	5_2_0019B2E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0019A4D8 pushad ; retf	5_2_0019A4D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0019999A push ss; retf	5_2_001999AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00199C4D push 7D10D5EFh; retf	5_2_00199C52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_00199CB5 pushad ; ret	5_2_00199CD4

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_0016BEDC rdtsc

5_2_0016BEDC

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7848	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7848	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1612511142.00000217B47C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: BitLockerToGo.exe, 00000005.00000002.1607077378.0000000000598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_0016BEDC rdtsc

5_2_0016BEDC

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_0017B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,

5_2_0017B6E2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 160000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 160000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pooreveningfuseor.pw
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: problemregardybuiwo.fun
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: lighterepisodeheighte.fun
Source: LisectAVT_2403002A_214.exe, 00000000.00000002.1610801059.000000C000DB6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: technologyenterdo.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 160000			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2BA008			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_214.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: LisectAVT_2403002A_214.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1379836943.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1619703472.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_214.exe PID: 7392, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: LisectAVT_2403002A_214.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1379836943.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1619703472.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_214.exe PID: 7392, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_214.exe	100%	Avira	TR/Agent.wcutk

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itGo	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeportUse	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskWhenScaled	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#emptydirmatchLabels	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#secretmonitors	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-ow	0%	Avira URL Cloud	safe
https://lighterepisodeheighte.fun/api	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/nodes/node/#conditionKind	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itgroup	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesValue	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesClus	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/nodes/node/#addresses	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/policy/resource-quotas/List	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/services-networking/service/An	0%	Avira URL Cloud	safe
https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.mdEntrypoint	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podpodIPs	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/api	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsThe	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classesversion	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming	0%	Avira URL Cloud	safe
https://associationokeo.shop/api/F	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/Route	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/containers/images.PodSecurityContext	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/Estimated	0%	Avira URL Cloud	safe
https://associationokeo.shop//P	100%	Avira URL Cloud	malware
https://examples.k8s.io/volumes/rbd/README.md(?	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/EndpointSubset	0%	Avira URL Cloud	safe
http://beego.me/docs/module/toolbox.md	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it	0%	Avira URL Cloud	safe
https://www.iana.org/assignments/service-names).	0%	Avira URL Cloud	safe
technologyenterdo.shop	100%	Avira URL Cloud	malware
https://microsoftgraph.chinacloudapi.cnk8s.io.api.apps.v1.StatefulSetConditionsucceeded	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/	0%	Avira URL Cloud	safe
https://edurestunningcrackyow.fun/	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesstatus	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/tasks/administer-cluster/namespaces/secretFile	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#nfsDeprecated.	0%	Avira URL Cloud	safe
https://gohugo.io/methods/page/path/readOnly	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/If	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsMinimum	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#emptydirpersistentVolumeReclaimPolicy	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.mdRegisting	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk	0%	Avira URL Cloud	safe
https://web.whatsapp.comserver	0%	Avira URL Cloud	safe
https://github.com/go-sql-driver/mysql/wiki/old_passwordsreadOnly	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesVerbs	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/Represents	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phaseThe	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-cont	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-statusLimits	0%	Avira URL Cloud	safe
https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netk8s.io.api.apps.	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsIf	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesOwnerReference	0%	Avira URL Cloud	safe
https://associationokeo.shop//	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskStatus	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies	0%	Avira URL Cloud	safe
https://problemregardybuiwo.fun/apiz	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsvolum	0%	Avira URL Cloud	safe
https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab	0%	Avira URL Cloud	safe
problemregardybuiwo.fun	0%	Avira URL Cloud	safe
https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#rbdEstimated	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/volumes#nfs	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/Deprecated:	0%	Avira URL Cloud	safe
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.com&ControllerRevisionList	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller	0%	Avira URL Cloud	safe
https://turkeyunlikelyofw.shop/apiG	100%	Avira URL Cloud	malware
https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityThe	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/storage/persistent-volumesItems	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicati	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.mdSecretReference	0%	Avira URL Cloud	safe
http://beego.me/docs/advantage/monitor.md	0%	Avira URL Cloud	safe
https://golang.org/pkg/unicode/#IsPrint.	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooksHostProcess	0%	Avira URL Cloud	safe
https://issues.k8s.io/61966Path	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/architecture/nodes/#capacity	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/spec	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsReceived	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/j	100%	Avira URL Cloud	malware
https://examples.k8s.io/mysql-cinder-pd/README.mdAPIVersions	0%	Avira URL Cloud	safe
https://edurestunningcrackyow.fun/apitS	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindscurre	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesCount	0%	Avira URL Cloud	safe
edurestunningcrackyow.fun	0%	Avira URL Cloud	safe
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podWhether	0%	Avira URL Cloud	safe
https://github.com/go-sql-driver/mysql/wiki/strict-mode	0%	Avira URL Cloud	safe
https://github.com/grpc/grpc/blob/master/doc/health-checking.md).	0%	Avira URL Cloud	safe
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusp	0%	Avira URL Cloud	safe
associationokeo.shop	100%	Avira URL Cloud	malware
https://lighterepisodeheighte.fun/apir	0%	Avira URL Cloud	safe
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statust	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templatekind	0%	Avira URL Cloud	safe
https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions	0%	Avira URL Cloud	safe
https://examples.k8s.io/volumes/glusterfs/README.mdIf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edurestunningcrackyow.fun	unknown	unknown	true	unknown
problemregardybuiwo.fun	unknown	unknown	true	unknown
turkeyunlikelyofw.shop	unknown	unknown	true	unknown
lighterepisodeheighte.fun	unknown	unknown	true	unknown
technologyenterdo.shop	unknown	unknown	true	unknown
detectordiscusser.shop	unknown	unknown	true	unknown
pooreveningfuseor.pw	unknown	unknown	true	unknown
associationokeo.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
technologyenterdo.shop	true	Avira URL Cloud: malware	unknown
problemregardybuiwo.fun	true	Avira URL Cloud: safe	unknown
edurestunningcrackyow.fun	true	Avira URL Cloud: safe	unknown
associationokeo.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lighterepisodeheighte.fun/api	BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607127000.00000000005AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-itgroup	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#secretmonitors	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeportUse	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskWhenScaled	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/nodes/node/#conditionKind	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-itGo	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/nodes/node/#phase	LisectAVT_2403002A_214.exe	false		unknown
https://kubernetes.io/docs/concepts/storage/volumes#emptydirmatchLabels	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-ow	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop/	BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesValue	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/nodes/node/#addresses	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/services-networking/service/An	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podpodIPs	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxiesClus	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.mdEntrypoint	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classesversion	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/api	BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/policy/resource-quotas/List	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsThe	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
http://beego.me/docs/module/toolbox.md	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/rbd/README.md(?	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/Route	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop/api/F	BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop//P	BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/EndpointSubset	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/Estimated	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/containers/images.PodSecurityContext	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://microsoftgraph.chinacloudapi.cnk8s.io.api.apps.v1.StatefulSetConditionsucceeded	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesstatus	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://www.iana.org/assignments/service-names).	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://gohugo.io/methods/page/path/readOnly	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#nfsDeprecated.	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://edurestunningcrackyow.fun/	BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/tasks/administer-cluster/namespaces/secretFile	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/If	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsMinimum	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.mdRegisting	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#namesVerbs	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#emptydirpersistentVolumeReclaimPolicy	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://web.whatsapp.comserver	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://github.com/go-sql-driver/mysql/wiki/old_passwordsreadOnly	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phaseThe	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.n	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/Represents	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-cont	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-statusLimits	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netk8s.io.api.apps.	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditionsIf	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesOwnerReference	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop//	BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsSpecifies	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdiskStatus	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsvolum	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://problemregardybuiwo.fun/apiz	BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#nfs	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/Deprecated:	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.com&ControllerRevisionList	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/volumes#rbdEstimated	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://turkeyunlikelyofw.shop/apiG	BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607255184.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityThe	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.mdSecretReference	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://golang.org/pkg/unicode/#IsPrint.	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://issues.k8s.io/61966Path	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooksHostProcess	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicati	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/storage/persistent-volumesItems	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
http://beego.me/docs/advantage/monitor.md	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/architecture/nodes/#capacity	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/spec	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/mysql-cinder-pd/README.mdAPIVersions	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uidsReceived	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/j	BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probesCount	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindscurre	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://edurestunningcrackyow.fun/apitS	BitLockerToGo.exe, 00000005.00000002.1607176031.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1606399221.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.md#create-a-podWhether	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://github.com/go-sql-driver/mysql/wiki/strict-mode	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://github.com/grpc/grpc/blob/master/doc/health-checking.md).	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusp	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://lighterepisodeheighte.fun/apir	BitLockerToGo.exe, 00000005.00000003.1606052174.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1607127000.00000000005AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statust	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-templatekind	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://examples.k8s.io/volumes/glusterfs/README.mdIf	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown
https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions	LisectAVT_2403002A_214.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482414
Start date and time:	2024-07-25 22:37:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_214.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@8/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 20 Number of non-executed functions: 84
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_214.exe

Simulations

Behavior and APIs

Time	Type	Description
16:38:52	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.9283332332110055
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	LisectAVT_2403002A_214.exe
File size:	52'278'277 bytes
MD5:	0550a11fcb665292ced7ad22a049d5c0
SHA1:	353afdabcae90759cce29fe7274bc1bf32e53fce
SHA256:	f373d495ed5e7f60ebf172abf2764fb385addf399a66aefef7f02f4fbb837e0b
SHA512:	8d0ed6131b65b8737ce5fd9ba15cf3341ce26afc5d56c4935f945d11e30ac4aa4023d7db89c01fdd03d0766e1035a640f8dd265bc2dc2450e6a0cd500a3d0102
SSDEEP:	196608:1lXXV2cKzAYr/ueCsnNJGR9COscQf5hphPd6W/C4fraetS3afpi0VbINDi:/F2cCAYVFNDOLQRhp3g4fraeS3axVRI
TLSH:	3EB73957F8A44C94E8A9C138C5618612FE72BC695B3427D33A64F7252F3EBD09A7E700
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.XX....................@.............................0).....I.....`... ............................

File Icon


Icon Hash:	3331f1959e91d14b

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x4157b120, 0x1, 0x4157b0f0, 0x1, 0x4157eba0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	7c2fe60df21c5bf7048fa4a414b9ecb8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [030D67D5h]
mov dword ptr [eax], 00000001h
call 00007F0384FE2BFFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [030D67B5h]
mov dword ptr [eax], 00000000h
call 00007F0384FE2BDFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F0386567944h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F0384FE2F19h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and dh, byte ptr [edx]
jne 00007F0384FE2F87h
popad
xor al, 50h
jnc 00007F0384FE2FB2h
xor al, 35h
push esi
xor byte ptr [edx+4Ch], ah
insb
push eax
push esi
cmp byte ptr [edi+32h], dh
das
inc ecx
jp 00007F0384FE2F93h
push eax
inc ebp
pop eax
imul ebp, dword ptr [6E6D4447h], 496F6D49h
push eax
dec ecx
dec edi
xor byte ptr [edi], ch
xor cl, byte ptr [esi+4Eh]
imul eax, dword ptr [esi+6Ah], 67h
aaa
jno 00007F0384FE2F98h
insb
xor bh, byte ptr [eax+5Fh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x31f9000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31fa000	0x1484	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31fe000	0xf8d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x30d9000	0x6d9f8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x320e000	0x84308	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x30d7600	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31fa49c	0x460	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15856c0	0x1585800	6417641fee0c8fae1cf2d23d73b66755	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1587000	0x102f90	0x103000	cc02e42bb12f1ede07db56e118b7afd0	False	0.27056625542953666	dBase III DBT, version number 0, next free block index 10, 1st item "Igqz0ClEp6aQ="	4.896175437091791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x168a000	0x1a4e430	0x1a4e600	74d13ede7f846ab7e522b4eeba9d88b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x30d9000	0x6d9f8	0x6da00	e490ea0c597bbf0f5766f261ef520972	False	0.3936404290193843	data	6.093801503052402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x3147000	0xc50	0xe00	72f00816ee44a2c755faf096d91676ef	False	0.2583705357142857	data	4.000837251226382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x3148000	0xb0e00	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x31f9000	0x4e	0x200	90a1d3534398e00970fc6e34d838a7cf	False	0.091796875	data	0.7296780309167858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x31fa000	0x1484	0x1600	57eec2be9bad131b4abb8a7221164c6e	False	0.2998934659090909	data	4.642690062767796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x31fc000	0x70	0x200	c0480b52149b2ae5110d58c172273c25	False	0.0859375	data	0.49024517705587084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x31fd000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x31fe000	0xf8d4	0xfa00	f133362ea24bb613b32e7692f7150870	False	0.317109375	data	3.9834081369511525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x320e000	0x84308	0x84400	4f30c5b13bbe6b55dbc22f3e4cecbb34	False	0.10664653237240075	data	5.4430701355301725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x31fe370	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.45564516129032256
RT_ICON	0x31fe658	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.6081081081081081
RT_ICON	0x31fe780	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.36087420042643925
RT_ICON	0x31ff628	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.48736462093862815
RT_ICON	0x31ffed0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.6040462427745664
RT_ICON	0x3200438	0x2522	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9592888701872502
RT_ICON	0x320295c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.11265942371280113
RT_ICON	0x3206b84	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.14979253112033195
RT_ICON	0x320912c	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.1878698224852071
RT_ICON	0x320ab94	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.22326454033771106
RT_ICON	0x320bc3c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.2905737704918033
RT_ICON	0x320c5c4	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.34186046511627904
RT_ICON	0x320cc7c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.3962765957446808
RT_GROUP_ICON	0x320d0e4	0xbc	data			0.6542553191489362
RT_VERSION	0x320d1a0	0x400	data	English	United States	0.3818359375
RT_MANIFEST	0x320d5a0	0x334	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.46707317073170734

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerA, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_0000000000000000	1	0x1431f8030

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T22:38:53.668122+0200	UDP	2050956	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop)	63245	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:53.640944+0200	UDP	2050953	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw)	50217	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:53.605777+0200	UDP	2050955	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun)	52392	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:53.630606+0200	UDP	2051473	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun)	59977	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:49.620341+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49705	40.127.169.103	192.168.2.8
2024-07-25T22:38:53.618320+0200	UDP	2050996	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)	59523	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:53.682272+0200	UDP	2050952	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop)	57670	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:53.244473+0200	UDP	2051470	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fun)	56007	53	192.168.2.8	1.1.1.1
2024-07-25T22:38:53.593216+0200	UDP	2050998	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop)	49180	53	192.168.2.8	1.1.1.1
2024-07-25T22:39:27.121641+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49707	40.127.169.103	192.168.2.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 22:38:53.244472980 CEST	56007	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.588146925 CEST	53	56007	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.593215942 CEST	49180	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.601459026 CEST	53	49180	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.605777025 CEST	52392	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.614622116 CEST	53	52392	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.618319988 CEST	59523	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.627041101 CEST	53	59523	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.630605936 CEST	59977	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.639393091 CEST	53	59977	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.640944004 CEST	50217	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.664535999 CEST	53	50217	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.668122053 CEST	63245	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.679549932 CEST	53	63245	1.1.1.1	192.168.2.8
Jul 25, 2024 22:38:53.682271957 CEST	57670	53	192.168.2.8	1.1.1.1
Jul 25, 2024 22:38:53.691338062 CEST	53	57670	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 22:38:53.244472980 CEST	192.168.2.8	1.1.1.1	0xe04f	Standard query (0)	lighterepisodeheighte.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.593215942 CEST	192.168.2.8	1.1.1.1	0x4cea	Standard query (0)	technologyenterdo.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.605777025 CEST	192.168.2.8	1.1.1.1	0x19d2	Standard query (0)	problemregardybuiwo.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.618319988 CEST	192.168.2.8	1.1.1.1	0xdc24	Standard query (0)	detectordiscusser.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.630605936 CEST	192.168.2.8	1.1.1.1	0x5b97	Standard query (0)	edurestunningcrackyow.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.640944004 CEST	192.168.2.8	1.1.1.1	0x57df	Standard query (0)	pooreveningfuseor.pw	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.668122053 CEST	192.168.2.8	1.1.1.1	0x9d18	Standard query (0)	turkeyunlikelyofw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.682271957 CEST	192.168.2.8	1.1.1.1	0xfd78	Standard query (0)	associationokeo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 22:38:53.588146925 CEST	1.1.1.1	192.168.2.8	0xe04f	Name error (3)	lighterepisodeheighte.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.601459026 CEST	1.1.1.1	192.168.2.8	0x4cea	Name error (3)	technologyenterdo.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.614622116 CEST	1.1.1.1	192.168.2.8	0x19d2	Name error (3)	problemregardybuiwo.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.627041101 CEST	1.1.1.1	192.168.2.8	0xdc24	Name error (3)	detectordiscusser.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.639393091 CEST	1.1.1.1	192.168.2.8	0x5b97	Name error (3)	edurestunningcrackyow.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.679549932 CEST	1.1.1.1	192.168.2.8	0x9d18	Name error (3)	turkeyunlikelyofw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:38:53.691338062 CEST	1.1.1.1	192.168.2.8	0xfd78	Name error (3)	associationokeo.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:38:30
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_214.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_214.exe"
Imagebase:	0x7ff60e700000
File size:	52'278'277 bytes
MD5 hash:	0550A11FCB665292CED7AD22A049D5C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1379836943.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1619703472.00007FF610C84000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:38:52
Start date:	25/07/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x7a0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.1%
Total number of Nodes:	51
Total number of Limit Nodes:	5

Executed Functions

Function 00193EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00194011
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0019406E

Strings

,, xrefs: 00193FE8
@, xrefs: 00193F5E

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,$@
API String ID: 292159236-1227015840
Opcode ID: 1ff9616804f55aadd8ef674d9b3075b3c3312ba771a07a0550711c2156c3fe4f
Instruction ID: 13617b1efd48eb0d6939b40c6603c4eaf59ef5fda74210bda60dcd89ab4d44f7
Opcode Fuzzy Hash: 1ff9616804f55aadd8ef674d9b3075b3c3312ba771a07a0550711c2156c3fe4f
Instruction Fuzzy Hash: 864149B1109305AFD710DF14CC44B5ABBE4FF85368F14861CF5A89B2E0E7759A48CB56

Function 00190E9D Relevance: 6.1, APIs: 4, Instructions: 127
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00190F44
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00190F7F

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7a64a1cc6304128035635af33258800845af9a33a99be7120b02d58ac7be3af4
Instruction ID: c3b4ef657668e48b9b4f72f076f52551b76d6e0a63b92fab4b78d44f65dc095a
Opcode Fuzzy Hash: 7a64a1cc6304128035635af33258800845af9a33a99be7120b02d58ac7be3af4
Instruction Fuzzy Hash: D35137711493519FE711CF08D848B1BBBE4FB89B58F14490CF6A59B2E0D7B4D988CB92

Function 001917F2 Relevance: 6.1, APIs: 4, Instructions: 121
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0019188E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 001918C1
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00191964
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00191997

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 8c49493bd6efd00e5fcbaf35f0e2717ed281d6b5915b83398cb2a1b2c8353cf3
Instruction ID: 808438117a03eb9fbf3b490703b9b60f6311de5c061e12e238b7642eb198d970
Opcode Fuzzy Hash: 8c49493bd6efd00e5fcbaf35f0e2717ed281d6b5915b83398cb2a1b2c8353cf3
Instruction Fuzzy Hash: 9B415771209316AFE700CF18C844B2BBBE4FB86758F14891DF5A5972E0D7B4D888CB96

Function 001941A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00194252
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0019429A

Strings

$, xrefs: 00194227

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 112232e19ab5f660ca9c941de73bde339e7bd50702a7a733cbf37c91a6e75386
Instruction ID: 2d2e21160ea608ba2c595dfd20ffe7e12bbd2c378f8d116cdb771a87946b9417
Opcode Fuzzy Hash: 112232e19ab5f660ca9c941de73bde339e7bd50702a7a733cbf37c91a6e75386
Instruction Fuzzy Hash: C7314A74208315AFE710DF19DC80B1BBBE8EB85718F14892CFA949B3D0D3B1A9458B92

Function 00176010 Relevance: 3.1, APIs: 2, Instructions: 69
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 001760AD
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 001760DF

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: b7a29da16c6975043a950dfc722e06abf575c152f7ed016cf52839393f3d5460
Instruction ID: 2f66bc46912299459ba840f3dc4a1c1a948cfaab8c5b81ac2981f84e67467cc1
Opcode Fuzzy Hash: b7a29da16c6975043a950dfc722e06abf575c152f7ed016cf52839393f3d5460
Instruction Fuzzy Hash: D4210B70109315ABD310DF19DC44B1BBBE8EB85768F14891CF9A9873D0D7759848CB96

Function 0016A7C0 Relevance: 3.0, Strings: 2, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

name="atok" value=", xrefs: 0016A7E4, 0016AD5E
act=life, xrefs: 0016A90E, 0016AA1C

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: act=life$name="atok" value="
API String ID: 0-1821706235
Opcode ID: 7ac21e7f734cacea80b9831a6c1e65e7c363c82dddbb551a00d216d5fa954512
Instruction ID: dc9e026595b4479b6910e2c94e8264c6a50cbf90421e80ef47b54fd31d3b496d
Opcode Fuzzy Hash: 7ac21e7f734cacea80b9831a6c1e65e7c363c82dddbb551a00d216d5fa954512
Instruction Fuzzy Hash: 7722C0B01047818FC322CF29D990662BFF1AF56314F59858EC4E54FBA2D335E986CB92

Function 001916EC Relevance: 1.5, APIs: 1, Instructions: 44
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 0019176C

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 6c45072302ae5cf9ef4fb282e6baf31e72350034123304820cda71e4d16a37ee
Instruction ID: 1cde904578d0de637f70547996911e77038014c1fe753f88927d8cc4e58e7e2b
Opcode Fuzzy Hash: 6c45072302ae5cf9ef4fb282e6baf31e72350034123304820cda71e4d16a37ee
Instruction Fuzzy Hash: DD016270298340BEFA249F54DC07F1A7BB1ABC1B14F208A1CF2606A5F6D7F269458F55

Function 001914BF Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000004), ref: 001914DA

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 297c95f641988833347a004eb62571854d30674e185ab9dcbff8cab096cef3a3
Instruction ID: 504297e8523b608089ede169fc23f98ff373b6a70dc2892d991c943677f6a6ee
Opcode Fuzzy Hash: 297c95f641988833347a004eb62571854d30674e185ab9dcbff8cab096cef3a3
Instruction Fuzzy Hash: 4ED0A770150140ABCB1CC794DC01E363352E7C5305F18402CE10193A73DAB05543CB10

Function 001919B2 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?), ref: 001919C9

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d32dbac67e631b588efd168aebfb676c76f1e7d4eb1c3b02d5fbe8ff0af24fb
Instruction ID: 6d21469d40cff9af3f10f3c9a71ce731efaec2256655dd2376304165a956978f
Opcode Fuzzy Hash: 2d32dbac67e631b588efd168aebfb676c76f1e7d4eb1c3b02d5fbe8ff0af24fb
Instruction Fuzzy Hash: A2D023310A40C06FC7009B9CEC014357F60BB46301B04043DF8B1C3772D73546219F10

Function 0016A560 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709c5836fc07df5e83584aed93555123609ced70a7f83d9df07e626e060a7f5e
Instruction ID: 302e499e7d5d8d0c8d855c3f208e067b891da0fd1b9fba0fdd89776ca7c13ed5
Opcode Fuzzy Hash: 709c5836fc07df5e83584aed93555123609ced70a7f83d9df07e626e060a7f5e
Instruction Fuzzy Hash: 8951D9B58242006FDB106F24FC467797BA4FF67305F494439F949A3A22F3324A65CB52

Function 00191E75 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C%R+, xrefs: 00191F38
V98?, xrefs: 00191EE5
R5X;, xrefs: 00191A83
R5X;, xrefs: 00191EDD
C%R+, xrefs: 00191AD8
U)X/, xrefs: 00191A6B
V98?, xrefs: 00191A8B
U)X/, xrefs: 00191EC5

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: C%R+$C%R+$R5X;$R5X;$U)X/$U)X/$V98?$V98?
API String ID: 0-17140411
Opcode ID: 236e14f2accf32f5a81ca8dac5dc8e6168acd3d5986b9ca6c1a69291b227a5e6
Instruction ID: 58a1da85e5db71d48fd02170f17e00f9be393c7bf38bacd05e2a5cea98d7729f
Opcode Fuzzy Hash: 236e14f2accf32f5a81ca8dac5dc8e6168acd3d5986b9ca6c1a69291b227a5e6
Instruction Fuzzy Hash: B9419BB0509341AFEB04CF14DAA072BBFE1BB96744F14891CF8995B751E3358E86CB92

Function 00191A16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00191B0A

Strings

R5X;, xrefs: 00191A83
C%R+, xrefs: 00191AD8
U)X/, xrefs: 00191A6B
V98?, xrefs: 00191A8B

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: C%R+$R5X;$U)X/$V98?
API String ID: 1029625771-2675831890
Opcode ID: 306aab8781be43ba7a3b329bc8ef6d371b7ca642877f09997692854c26a5eb1c
Instruction ID: 6a6f56816d504ef3cc91085df6973dc34759592604acc2f193cbd95694475fd3
Opcode Fuzzy Hash: 306aab8781be43ba7a3b329bc8ef6d371b7ca642877f09997692854c26a5eb1c
Instruction Fuzzy Hash: 2F21B0B0508341AFD708CF10DEA172BBFE1EB96745F14891CE49917711E3358E86CB86

Function 00191B55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00191C20

Strings

uw, xrefs: 00191B82
pq, xrefs: 00191B8A

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: pq$uw
API String ID: 1029625771-2542560687
Opcode ID: 5b1076a9e70569dedcefb3f36a988b76e7aa0c77c29cf0ca451b042027b3af1e
Instruction ID: b6572e3d18e099293c28d60efd3d2331e7b9ae148bafbba4bf158a8b6eb17676
Opcode Fuzzy Hash: 5b1076a9e70569dedcefb3f36a988b76e7aa0c77c29cf0ca451b042027b3af1e
Instruction Fuzzy Hash: 9E2144752483019BD318CF10D5A032BBBF1EFC9788F544E1DE89A9B690D734D989CB8A

Function 001690A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0016914C

Strings

eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance, xrefs: 00169105

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: ExitProcess
String ID: eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance
API String ID: 621844428-3721107060
Opcode ID: cdb5a5987a9dfc82a30de272385ee411f5feaf9dd490d7b65a1eeb7bc0148d85
Instruction ID: 9de9049e26513c9f7c14929e0da839eca21c8214614f9b019c36bbcd17e29fdb
Opcode Fuzzy Hash: cdb5a5987a9dfc82a30de272385ee411f5feaf9dd490d7b65a1eeb7bc0148d85
Instruction Fuzzy Hash: 451192B080C202DBDB087F749E0E63A7ABD9B23334F324527F98642145EB314475A793

Function 0019152A Relevance: 1.6, APIs: 1, Instructions: 93
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00191694

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 497da810b043458921a36ecc1282bb8b4282661b7de2e2f05a2147866fae695a
Instruction ID: a81f89c4147c28d8f4974ab031e1d9ba351225317f9cd354e5098d9d39d23ead
Opcode Fuzzy Hash: 497da810b043458921a36ecc1282bb8b4282661b7de2e2f05a2147866fae695a
Instruction Fuzzy Hash: 844117B4508341ABD708CF14C9A472FBBE2EFC5708F558A1CE4951B785C374D94ADB86

Function 001922B5 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 0019231C

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dd96a9f86efef0de802bc21aaff418d208e4d4054f616b79ee5977b1e777f7be
Instruction ID: 875387ded0ac9b8892810060299d08796f202afd90f8a64f688a6d650a1d8c83
Opcode Fuzzy Hash: dd96a9f86efef0de802bc21aaff418d208e4d4054f616b79ee5977b1e777f7be
Instruction Fuzzy Hash: A9118236E011248FC719CF6CEC51A9AB7F1BB89758F16062DE912E77A1C7349C85CB84

Function 00192A7F Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 00192ADE

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dfbdd4b96d75e3b096dd2d9d29473e600fd5d1513eb32cf83a447f70ccb99a5f
Instruction ID: f5549b08d66642b55c16d67fe37a87b2a41fd6ab1b7cedae63101d6ff7248389
Opcode Fuzzy Hash: dfbdd4b96d75e3b096dd2d9d29473e600fd5d1513eb32cf83a447f70ccb99a5f
Instruction Fuzzy Hash: 22114C76E012199FCB18CFA9D88169EBBB1BB88318F15412AE915F7250D7349D85CB84

Function 0018F750 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0018F79F

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b5e1868732182ab54af7c0a88f372f0cc57cd5b7993c2fdc1375f3b091688816
Instruction ID: 9db3c1acff7a159fca7c336ed2506283ba1c26f118e222b266aad488cf3cba48
Opcode Fuzzy Hash: b5e1868732182ab54af7c0a88f372f0cc57cd5b7993c2fdc1375f3b091688816
Instruction Fuzzy Hash: 0BF0A072B142104FD304DB29ED1679A77E2ABD4B04F01C83CE484DB658D6389C9ACB8A

Function 0018F857 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,?,00000000), ref: 0018F861

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6794bfe0a2e6e19bd5b38f9f97031f9fc9a6dbcc58311458fe5389d54e20ef1a
Instruction ID: ac7bfd87f3e47b5cdd879fd00671e21ace0fd4022f2519eac6788a16b64726a7
Opcode Fuzzy Hash: 6794bfe0a2e6e19bd5b38f9f97031f9fc9a6dbcc58311458fe5389d54e20ef1a
Instruction Fuzzy Hash: FEC0803424105476D1144715CCC2F7716D8DF4B679F20002DB506C51C0C90454528469

Function 00192B50 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00169140), ref: 00192B68

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3ee30f2ae86a94ab7867412d29853033bc2de290ced887600a038d44504b2888
Instruction ID: 0052592b5c2cae8552bcf35b8ffee900d733878de36dfbc4a418f4c4a2582813
Opcode Fuzzy Hash: 3ee30f2ae86a94ab7867412d29853033bc2de290ced887600a038d44504b2888
Instruction Fuzzy Hash: 0CD092B1910000ABDE116FB8FC08A2A3B69BB177157148060F12290D30DB33CA92DB20

Non-executed Functions

Function 0018513A Relevance: 14.9, APIs: 4, Strings: 4, Instructions: 903nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00185847
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0018587D

Strings

qFvs, xrefs: 00185BC4
eL"M, xrefs: 00185BCB
}Nmk, xrefs: 00185BD2
QQch, xrefs: 00185BD9

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: QQch$eL"M$qFvs$}Nmk
API String ID: 292159236-392577269
Opcode ID: 36b533eac668d52ee3a595d70e28e24b84ecc21dcef84d6f5c1fefcab407179c
Instruction ID: 361acaea91b9e706635b58b9dbad27182edf06c88c20f0b49d2bb5f31070dbf2
Opcode Fuzzy Hash: 36b533eac668d52ee3a595d70e28e24b84ecc21dcef84d6f5c1fefcab407179c
Instruction Fuzzy Hash: 9C626870204B428FD329CF29C490722FBF2FF9A314F68865DD4968BB91D779A945CB90

Function 00169C20 Relevance: 14.2, Strings: 11, Instructions: 435COMMON

Download Yara Rule

Strings

S-M/, xrefs: 0016A1B5
01, xrefs: 0016A1EC
0, xrefs: 00169C7D
tFsw, xrefs: 00169D68
C\CP, xrefs: 00169F20
Y!G#, xrefs: 0016A1C0
V%T', xrefs: 0016A1CB
SDA^, xrefs: 00169F28
X)N+, xrefs: 0016A1AA
!=$?, xrefs: 0016A1E1
ZW, xrefs: 0016A282

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !=$?$0$01$C\CP$S-M/$SDA^$V%T'$X)N+$Y!G#$ZW$tFsw
API String ID: 0-1902009110
Opcode ID: 0f06212bc65c2b72344af75f88817522026c5a10520cdf97d058b71cfd5f6acb
Instruction ID: 8731c13773c930871bb86a4fb240b54c98bf40b29a5c1ae3e139f00fd76de5d9
Opcode Fuzzy Hash: 0f06212bc65c2b72344af75f88817522026c5a10520cdf97d058b71cfd5f6acb
Instruction Fuzzy Hash: 6B0203B01083818BE724CF15C8A4B6FBBE5BBC2348F544D1DE5D58B292D77AD909CB92

Function 001900A0 Relevance: 13.9, APIs: 9, Instructions: 433nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00100000,00003000,00000004), ref: 001900F1
NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,?,00003000,00000040), ref: 00190246
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 00190290
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 001902E7
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000004), ref: 00190310
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0019068E

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3b3eb9914af5ee75fe870bcbcd754119b322ca5cf67a7dae95e5fd990945b062
Instruction ID: 4bd44d9704131801d1b5239d9243cee5af8fa5e354c512eea0ef84871d662c41
Opcode Fuzzy Hash: 3b3eb9914af5ee75fe870bcbcd754119b322ca5cf67a7dae95e5fd990945b062
Instruction Fuzzy Hash: B7F178716083519FDB25CF18C840B5BBBE4BFC9714F148A2DF6A48B3A1D771A848CB92

Function 0017B6E2 Relevance: 11.1, APIs: 7, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a85de407071e577e31085484baa605dcf2e590ca08e3498ad30ef640a62c30
Instruction ID: 1a76353ac60abf178727cf72794f82d18461116922bae706167513f7a158b384
Opcode Fuzzy Hash: 85a85de407071e577e31085484baa605dcf2e590ca08e3498ad30ef640a62c30
Instruction Fuzzy Hash: 0332E131608251CFD715CF28C890B6ABBF1FF8A305F49856DE59987392D734E885CB91

Function 0017F212 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 576nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017F497
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0017F4CD
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017F613
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0017F64B

Strings

kNDW, xrefs: 0017F7F3
[tDJ, xrefs: 0017F7FD

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: [tDJ$kNDW
API String ID: 292159236-3823844181
Opcode ID: 7109948c9bb66b68c0baca91705c5c98329c7d8c40848b3e90ffb4fda73f48ca
Instruction ID: 4e0ec8bb5699dbd379d7ca07015e7904e4608b672e3beb62614fa33f9838b52f
Opcode Fuzzy Hash: 7109948c9bb66b68c0baca91705c5c98329c7d8c40848b3e90ffb4fda73f48ca
Instruction Fuzzy Hash: DB1277B1610B018FD724CF29D880BA3B7F5FB49314F148A2DE59A8BAA1D734F946CB51

Function 0017BF40 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0017C064
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0017C08F

Strings

#U+W, xrefs: 0017C0AD
+Y;[, xrefs: 0017C0A5
#r8, xrefs: 0017C22E
!]!_, xrefs: 0017C09D

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: !]!_$#U+W$#r8$+Y;[
API String ID: 237503144-3298446581
Opcode ID: e06ffd04156613322c43dd49f957089c2fe3b0741a344b0cd0e39c1d7648d67f
Instruction ID: 9f0f566fcbecd581976b41f5e65dc66bf91fbbe7f17100fe486444fec383b7c5
Opcode Fuzzy Hash: e06ffd04156613322c43dd49f957089c2fe3b0741a344b0cd0e39c1d7648d67f
Instruction Fuzzy Hash: FC719C70108381CBE724CF15C8A1BABB7F1EF86354F04491DF8959B291E3B89A45CBA7

Function 001617A0 Relevance: 10.5, Strings: 8, Instructions: 530COMMON

Download Yara Rule

Strings

0, xrefs: 00161844
[, xrefs: 00161A09
., xrefs: 0016186F
false, xrefs: 00161932
{, xrefs: 00161BD0
null, xrefs: 00161B19
true, xrefs: 0016191A
., xrefs: 0016184A

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .$.$0$[$false$null$true${
API String ID: 0-1639024219
Opcode ID: de79bd8d77bc834c128c7c58cfadc133d90d81f8709456bc139559a54c3b47fb
Instruction ID: 12fd14ebca6c7bb0bb7826603489f5a37d41944b6e53c97134ebf6c56fdfa338
Opcode Fuzzy Hash: de79bd8d77bc834c128c7c58cfadc133d90d81f8709456bc139559a54c3b47fb
Instruction Fuzzy Hash: A1F135B1A04305BBEB105F65DC5972A7BE8BF50348F1C8938EC868B292EB35D974C752

Function 0017F930 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 345nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0017F9D1
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0017FA0D
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0017FAC9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0017FB05

Strings

c'nc, xrefs: 0017FD15

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: c'nc
API String ID: 292159236-437297503
Opcode ID: 893c8f329a7cdd296446c55faf336d07400e0809dc4e5f49cc634d1e16637726
Instruction ID: a90e712eab1f31c47222799f266ec0c71cd5a08f034c955ee6167e37b2feb4bb
Opcode Fuzzy Hash: 893c8f329a7cdd296446c55faf336d07400e0809dc4e5f49cc634d1e16637726
Instruction Fuzzy Hash: B1C1DEB16083518FD310CF18C890B6BBBF0EF89754F198A2CE9D99B391D3709906CB96

Function 00194B90 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00194C34
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00194C7B
NtAllocateVirtualMemory.NTDLL(000000FF,000000B8,00000000,0000BA00,00003000,00000040), ref: 00194D3B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00194D87

Strings

R-,T, xrefs: 00194CC0

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: R-,T
API String ID: 292159236-635581381
Opcode ID: 89b5dbaa2f7c8493fb30e3e4a4423619ca3d12e54ef9acf4e2aa18374c2cd016
Instruction ID: 1c89cba2d455ca38c7fed5f7731f235ea4bd22a0a6740cef6ad86fc88801279b
Opcode Fuzzy Hash: 89b5dbaa2f7c8493fb30e3e4a4423619ca3d12e54ef9acf4e2aa18374c2cd016
Instruction Fuzzy Hash: 2AC1E0352083529FDB15CF18C890A2AFBE1FF88718F18861CF9958B3A1D775D946CB92

Function 00188090 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32 ref: 001880F2
GetDeviceCaps.GDI32 ref: 0018810D
SelectObject.GDI32 ref: 00188159
SelectObject.GDI32 ref: 001881CE

Strings

, xrefs: 0018818A

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: CapsDeviceObjectSelect
String ID:
API String ID: 4288853314-3916222277
Opcode ID: 730ea5fd8ab9c3d9a0c49e79bef2f94b52201febe51c203ee78cb120ad64ff06
Instruction ID: d4051039d127201dfb5657e9aa4bd5e653a5fe394ec3efd2a80afa56d372a705
Opcode Fuzzy Hash: 730ea5fd8ab9c3d9a0c49e79bef2f94b52201febe51c203ee78cb120ad64ff06
Instruction Fuzzy Hash: 78D14DB4518380CFDBB4DF54E68869ABBE0BB89308F50891ED58DA7764DB705488CF87

Function 0018F880 Relevance: 7.7, APIs: 5, Instructions: 200memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0018F925
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0018F963
RtlAllocateHeap.NTDLL(?,00000000,00000000), ref: 0018F9C1
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0018FA5F
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 0018FA9B

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$Allocate$Free$Heap
String ID:
API String ID: 996896184-0
Opcode ID: 71db2cfc70f20425427296ab803896499d9b8dc2acf917d76e244e77507f8f13
Instruction ID: 7e9af0ef11d2d1beedb1e6260583898ebf08a702f7153254442f49270101cf5c
Opcode Fuzzy Hash: 71db2cfc70f20425427296ab803896499d9b8dc2acf917d76e244e77507f8f13
Instruction Fuzzy Hash: 0A616A712083019FE314DF18C884B5BBBE5FB89724F158A2CF5A89B3A0D774D945CB96

Function 0017B06E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

IMB@, xrefs: 0017B146
FE33, xrefs: 0017B14E

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: FE33$IMB@
API String ID: 0-789939345
Opcode ID: 76e508ab53acca7e74dcd803ab5122c65c424f7fe59c605d173268a962002191
Instruction ID: bc0b86a2974d3fd8736aa872bf6bf862bf74c7f2c55cb7466bc1483b08620b09
Opcode Fuzzy Hash: 76e508ab53acca7e74dcd803ab5122c65c424f7fe59c605d173268a962002191
Instruction Fuzzy Hash: D07132B020D3809FE324DF28D890B6FBBE4FB85714F50491DF5998B291C774994ACB92

Function 00181B6B Relevance: 6.7, APIs: 4, Instructions: 677COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,7FCC7DCA,00000009,00000000,00000000,?), ref: 00181CA3
RtlExpandEnvironmentStrings.NTDLL(00000000,7FCC7DCA,00000009,00000000,?,?), ref: 00181CD2
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,00000000,?), ref: 001820F3
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,?,?), ref: 0018211F

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: fc6bc5f9bfd315bd5b7d2783903379e5f7a14f4e930996cfc4f6353a10d27b3b
Instruction ID: 2cb1ff694f1dbf5fe4b9f4a7628ef0eaaf8689fe574980e2fc48fdb70f8023ac
Opcode Fuzzy Hash: fc6bc5f9bfd315bd5b7d2783903379e5f7a14f4e930996cfc4f6353a10d27b3b
Instruction Fuzzy Hash: 664246B45006019FE324DF29C5A5B22BBF1FF4A314F248A4CE8D68B795E335A946CBD1

Function 00182C15 Relevance: 6.5, Strings: 4, Instructions: 1457COMMON

Download Yara Rule

Strings

%'te, xrefs: 00183525
3, xrefs: 0018367F
?, xrefs: 001837CA
JJ;@, xrefs: 00183C01

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %'te$JJ;@$3$?
API String ID: 0-1321762328
Opcode ID: a8939d08be284323075929059bc7662638a41bcbd67ea3161b846e4216d4c0e0
Instruction ID: d1768fb25dd34fd3b37296c8529828c74fa41593d370ee14d19fc45952902ce1
Opcode Fuzzy Hash: a8939d08be284323075929059bc7662638a41bcbd67ea3161b846e4216d4c0e0
Instruction Fuzzy Hash: FBB23E705056818FD729CF29C090B62FBF1BF5A704F28869DD4D68B392C739A986CF94

Function 00182C0D Relevance: 6.4, Strings: 4, Instructions: 1357COMMON

Download Yara Rule

Strings

%'te, xrefs: 00183525
3, xrefs: 0018367F
?, xrefs: 001837CA
JJ;@, xrefs: 00183C01

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %'te$JJ;@$3$?
API String ID: 0-1321762328
Opcode ID: 89cff18259298903c6f84f857ae69440ff062055c7334eb127a3cccd2ec3795d
Instruction ID: a54a3984861e753fc1108d80230b72e4ea18a449004bb894ab4528f8a32b26c6
Opcode Fuzzy Hash: 89cff18259298903c6f84f857ae69440ff062055c7334eb127a3cccd2ec3795d
Instruction Fuzzy Hash: F4B23E746056428FD729CF28C090B62FBF1BF5A304F28859DD4D68F392D739A986CB94

Function 00194820 Relevance: 6.3, APIs: 4, Instructions: 271nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 001948C4
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00194909
NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 001949C6
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 00194A0B

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 89a17cbe24f33e60faee355b596a843b694276b1b8b4c620deac2db34ee2472f
Instruction ID: 1bb3bb3cc097fec15017677a3c3969296550edcf76c6d1facf990b77d1310257
Opcode Fuzzy Hash: 89a17cbe24f33e60faee355b596a843b694276b1b8b4c620deac2db34ee2472f
Instruction Fuzzy Hash: E3A155742083169FDB14CF18C880B2BB7E5FF89758F148A1CE9959B3A0D770E946CB96

Function 00194F90 Relevance: 6.3, APIs: 4, Instructions: 267nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0019506F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 001950B5

Part of subcall function 0018F750: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0018F79F

NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 00195179
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 001951C2

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$Allocate$Free$Heap
String ID:
API String ID: 996896184-0
Opcode ID: 67016b0adae71f48a7f01eebd92fa8e30013829593caca1f8701050a79935a4d
Instruction ID: 4185b0aece967a595f09fd31225a277dbc560c03e8d234cabaa20c2c06de3a80
Opcode Fuzzy Hash: 67016b0adae71f48a7f01eebd92fa8e30013829593caca1f8701050a79935a4d
Instruction Fuzzy Hash: 5691FF342097519BDB16CF18C840B2BBBE1FF86714F18862CF8A997391D375E845CB92

Function 00194530 Relevance: 6.2, APIs: 4, Instructions: 229nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 001945D1
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00194619
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 001946D5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0019471F

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: b42a04e480bf1f06eb48c3241c7a2d3e6739d8ca540b50cfd20a33e9c2dd5aac
Instruction ID: 7bb65ea17895b53aa1a0d55266fb80d2319dd557002a19d220c80f0c5f2748fb
Opcode Fuzzy Hash: b42a04e480bf1f06eb48c3241c7a2d3e6739d8ca540b50cfd20a33e9c2dd5aac
Instruction Fuzzy Hash: 03819C742083169FD710CF58C880B2BB7E9FF89764F148A2CF9949B3A0D7749949CB96

Function 0018FD90 Relevance: 6.1, APIs: 4, Instructions: 147nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0018FE51
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000000,00008000), ref: 0018FE8F
NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 0018FF2F
NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 0018FF63

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: f15e8dc2f98793551e9fec49fca802f7d80904c8cf14a3fe35ceaa0c4fbe676c
Instruction ID: 51aa210ba68b244075e8abed40ca17a7b8affd417cafbb6c5493ec16c3c68931
Opcode Fuzzy Hash: f15e8dc2f98793551e9fec49fca802f7d80904c8cf14a3fe35ceaa0c4fbe676c
Instruction Fuzzy Hash: AD516B712083059FE310DF18C848B1BBBE8FB85754F14892CF6A48B2E1D7B59989CF92

Function 00177B38 Relevance: 6.1, APIs: 4, Instructions: 122nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00177BB8
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00177BEB

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 9cf9adcec24b275fd3382e89edcceed98789b1804b32da896384648f05fa9957
Instruction ID: 9abd0f4208b5977cdd3a12d3dfbeabb34579f3e66e4efed324149bd431fb2b65
Opcode Fuzzy Hash: 9cf9adcec24b275fd3382e89edcceed98789b1804b32da896384648f05fa9957
Instruction Fuzzy Hash: 0041F575205B05DFE725CF18D884B13B7F8EB09718F148A1CD2AB8BAA0D770E589CB55

Function 00176EA2 Relevance: 6.1, APIs: 4, Instructions: 112nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00176F14
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00176F44

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3971f626509b3a0f0acfd7d1ab05b7c73c9ae70a646b292453811bb3cc90a279
Instruction ID: 16b0aa6e82efc7a8d09bf87506bb35c54814b824204425031420d6992eef33d9
Opcode Fuzzy Hash: 3971f626509b3a0f0acfd7d1ab05b7c73c9ae70a646b292453811bb3cc90a279
Instruction Fuzzy Hash: DF413574200B049FD320CF14D844B57BBF8FB09B24F148A1CE5AACBAA0D774E489CB95

Function 0017AAF0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 338nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0017AE41
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0017AE75

Strings

de, xrefs: 0017AB16

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: de
API String ID: 292159236-2106599819
Opcode ID: eef2f2cbdf82cb84bd541b304df50ecfb282bb82e38f3e4a18954f14475f2f7b
Instruction ID: 4cd0f624e5c24956e47756793ed19568b941875d81e353f3a7333eef6e5575d3
Opcode Fuzzy Hash: eef2f2cbdf82cb84bd541b304df50ecfb282bb82e38f3e4a18954f14475f2f7b
Instruction Fuzzy Hash: 7891ADB19083119BD721DF14C892B6BB7F4EF95324F88892CF9998B291E374D944C7A3

Function 00164820 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

IHDR, xrefs: 00164C77
IEND, xrefs: 00164D5F
), xrefs: 001648B8
IDAT, xrefs: 00164CE4

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 55840056c9d0af2c2492eda1ac693e3f248c83c52593a1c71b4c36dc5ebd8925
Instruction ID: 7497e9c08c0e96c532a777e691b7a543cb5a23fcb7e17eacf3202a113c413e68
Opcode Fuzzy Hash: 55840056c9d0af2c2492eda1ac693e3f248c83c52593a1c71b4c36dc5ebd8925
Instruction Fuzzy Hash: 55122371A083408FD718CF28DC9076ABBE0EF95314F05866DF9858B392D779D919CB92

Function 0017C4BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017C74F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0017C797

Strings

ba, xrefs: 0017C8C6

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ba
API String ID: 292159236-749160980
Opcode ID: faa7ffa156c1444e1b05b7bf840798c3a0ba302a126edf846e4e048320e1bcf0
Instruction ID: bf78316f05f2fb07988cb15ed73a8daa255b7628e5038950625c04dbcec8e95c
Opcode Fuzzy Hash: faa7ffa156c1444e1b05b7bf840798c3a0ba302a126edf846e4e048320e1bcf0
Instruction Fuzzy Hash: B26110B01083819FE764CF04C899B9BBBF5BBC5318F18891DE5E98B291CB759509CF92

Function 001943C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 001944E3
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0019451F

Strings

@, xrefs: 00194430

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: c39634ae55df45af6c75a2d2d86db53b91c0d82461c1cf32db8ae2ec5b993a9f
Instruction ID: ed6cc54f6f6761839bce428d1708c65a6ab6af27c24380ac8648f01e57776241
Opcode Fuzzy Hash: c39634ae55df45af6c75a2d2d86db53b91c0d82461c1cf32db8ae2ec5b993a9f
Instruction Fuzzy Hash: FD315AB15093159FD310CF18C844B5BBBE8FF89728F158A1CF9A497390D774D9488B96

Function 0017A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0017A98F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0017A9DF

Strings

,, xrefs: 0017A964

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: d113a23207c60925a1ed2c6419e880ad5bbebdacb3198d7dc986597ebd85eee3
Instruction ID: 96a732bb1e6b17dfab110e8d9970cd57b478433215bebca6f7415511877aa6b4
Opcode Fuzzy Hash: d113a23207c60925a1ed2c6419e880ad5bbebdacb3198d7dc986597ebd85eee3
Instruction Fuzzy Hash: 8321F771208315AFE310CF19DC44B2BBBE9FB89768F14891CFA9497390D37198548B96

Function 001942B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00194362
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 001943AA

Strings

$, xrefs: 00194337

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: b3acc81a938927d2309e322438243f69a7787f40ef34171336c7e524637872f2
Instruction ID: a91a437fc1e9a7311b9a7f6d7eeda81bb1f9aba481728da6a926c825d543ad45
Opcode Fuzzy Hash: b3acc81a938927d2309e322438243f69a7787f40ef34171336c7e524637872f2
Instruction Fuzzy Hash: 39314A70209315AFE710CF19DC84B1BBBE8FB86718F14491CFA949B3D0D3B1A9458B96

Function 00177E5F Relevance: 4.3, Strings: 3, Instructions: 501COMMON

Download Yara Rule

Strings

pq, xrefs: 00178418
SW, xrefs: 0017830A
ihW, xrefs: 00177EE0

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: SW$pq$ihW
API String ID: 0-2057198179
Opcode ID: 855ccd4b3d83438c856edfa09505aace00ac34afb3e6b0dec1df9096b8d8fb9f
Instruction ID: 15fdbd985ba4366f423c87dc52b89fb9a447446da17b8214404a0709011a6eb2
Opcode Fuzzy Hash: 855ccd4b3d83438c856edfa09505aace00ac34afb3e6b0dec1df9096b8d8fb9f
Instruction Fuzzy Hash: CA12FEB45093819BE708DF11D4A4B6FBBF2BBC6708F14891CE4D94B395C77A8909CB86

Function 00172823 Relevance: 3.5, APIs: 2, Instructions: 492COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00172DAE
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,?,?,?), ref: 00172DF9

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 7769633e08b420fce849eba815ce460d7c71e5725c1adb977a0e17aae645ad5e
Instruction ID: 048f979aeacd071b269a1f4f8eafc5a453905dcefeb2dd0fd263488c5efb963a
Opcode Fuzzy Hash: 7769633e08b420fce849eba815ce460d7c71e5725c1adb977a0e17aae645ad5e
Instruction Fuzzy Hash: 5B124A71204B408BE325CF24C895BE7B7F2FF99304F18892CD4AA8B692D77AB415CB40

Function 00165450 Relevance: 3.4, Strings: 2, Instructions: 882COMMON

Download Yara Rule

Strings

0, xrefs: 00165E5E
8, xrefs: 00165E56

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 96830eaa4d44d755426217940b55c35ddc4cea475f23a8437c0fe9c33a5890e4
Instruction ID: cd9852a1a7a1360d3657b98bafc89ed350dc6949cf2904ab17920f77d66b5ca8
Opcode Fuzzy Hash: 96830eaa4d44d755426217940b55c35ddc4cea475f23a8437c0fe9c33a5890e4
Instruction Fuzzy Hash: 218277716087409FDB24CF18C8947ABBBE2BF98314F08892DF9898B391D775D954CB92

Function 00184EE6 Relevance: 3.2, APIs: 2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c262cf1b82a39514097d20b1cb64cd03a85c19a00dac6623ef8f18a04164066
Instruction ID: 38b93028478caa7f50e86c40bc764e6aa2043a8b14f36dc6c17cf73e9c066115
Opcode Fuzzy Hash: 7c262cf1b82a39514097d20b1cb64cd03a85c19a00dac6623ef8f18a04164066
Instruction Fuzzy Hash: DB414974100B429FE365CF28C890B22BBE1FF0A714F244A0CE5E68BB90D775A845CF91

Function 0017C3B8 Relevance: 3.1, APIs: 2, Instructions: 134nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017C564
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0017C5A6

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: f4f3ed91f3af8a1801b17c4fdabb99849bb5b1006efef13641e518f66cdfb17e
Instruction ID: 8ed6c036b5c42958d1c6fdc4c96f02b667b786dc860a6dcd3898d212bcc6a91c
Opcode Fuzzy Hash: f4f3ed91f3af8a1801b17c4fdabb99849bb5b1006efef13641e518f66cdfb17e
Instruction Fuzzy Hash: 1C51F0B41193819FE364CF05D890BAABBF4BB85308F048A1DE1DA8B390D7B49509CF92

Function 0018FB40 Relevance: 3.1, APIs: 2, Instructions: 106nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0018FC4F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0018FC8C

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 68420bb5657e34ca71d4e8333c9e60b231c18ce4c60c6e6bdea9ac90f6abecc6
Instruction ID: 9a4df3f77f522ceaebb7d5df328d43fa2907ee19c68204e10137ee7452300d86
Opcode Fuzzy Hash: 68420bb5657e34ca71d4e8333c9e60b231c18ce4c60c6e6bdea9ac90f6abecc6
Instruction Fuzzy Hash: D9313AB01083059FE300DF19C854B5BBBE9FB85758F148A2CF4948B3D0D7B9994ACB96

Function 001815A3 Relevance: 3.1, APIs: 2, Instructions: 91nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00181944
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0018197B

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c1af16703048b1c322adb567803f0771e2732e7c991b41f3433b385ec333eacd
Instruction ID: 5b85b6b72c7f41c411208379fd6cc7040232e5daa3d15037295519da2d827193
Opcode Fuzzy Hash: c1af16703048b1c322adb567803f0771e2732e7c991b41f3433b385ec333eacd
Instruction Fuzzy Hash: 9B313775211B018FE324CF28D890B63B7E9FB4A704F14890DE6A287BA0D7B0F445CB55

Function 0018DC00 Relevance: 3.1, APIs: 2, Instructions: 86nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0018DCAF
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0018DCF1

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 452615fb2e4618e837d047dd05eadafd4886ed03a6d3d621567ae761234d3c75
Instruction ID: 65e373697093c6db020d7aa57cf96b876f2a1eda26e44738ad22f913b04fe32e
Opcode Fuzzy Hash: 452615fb2e4618e837d047dd05eadafd4886ed03a6d3d621567ae761234d3c75
Instruction Fuzzy Hash: BF210C71109315AFD310DF19D844B1BBBE8EB8A768F14891DF9A4973D0D3B19944CB92

Function 00194090 Relevance: 3.1, APIs: 2, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00194133
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00194177

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 94292732304d1258112232290489a6038dab1f93aaacb52e438f760d8a26f2bd
Instruction ID: 3f555b4ade624b735ac4f33eca00e45e3a995dde9380529498db06823472ee9e
Opcode Fuzzy Hash: 94292732304d1258112232290489a6038dab1f93aaacb52e438f760d8a26f2bd
Instruction Fuzzy Hash: E2314A75208315AFE710CF14DC44B5BBBE8EB85764F04861CF9A4973E0D7B0A949CB92

Function 0017E3B0 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017E44E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0017E488

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 8aa8ed80949a613c1912b82ba362055714f5d2f2bdae4e2604036513db7718a8
Instruction ID: a9238675046b2b6ad3753b2e3b39726499e305459f431e4bcdfeb96b75b79121
Opcode Fuzzy Hash: 8aa8ed80949a613c1912b82ba362055714f5d2f2bdae4e2604036513db7718a8
Instruction Fuzzy Hash: 1B21EF75200B518FE324CF28C884B53B7F4FB09718F14891DE6AA87BA0D7B0F8898B54

Function 00179B1C Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00179BC7
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00179BF6

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3e66d683c7e75602f14fb5db271ddb82339d1f532d90080febe221b531d25d6c
Instruction ID: 6620aadf364682dbb34ecaa87bcc15e4b6f247834004ee74b4af302e018ca013
Opcode Fuzzy Hash: 3e66d683c7e75602f14fb5db271ddb82339d1f532d90080febe221b531d25d6c
Instruction Fuzzy Hash: 0D315775A0021ADFDB04CFA8D884BAEBBB4FB09714F184119E611E73A0D774A984CBA4

Function 00173B44 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00173C30
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00173C70

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 4025191c233139888a76bba5c22504dc8a81697089770a72849e1f2b5980b140
Instruction ID: b20bfe58341d7ae3e446a06983cd03cc88b6178be64c9f457c09e878cbc1b68a
Opcode Fuzzy Hash: 4025191c233139888a76bba5c22504dc8a81697089770a72849e1f2b5980b140
Instruction Fuzzy Hash: 8E315870241B10CFE764CF28D894B97B7F6FB09314F04491CE2AA87AA1DB75B451CB44

Function 0018FF90 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00190043
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00190082

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: cda764e7154acf8a1431490c628da3068c0d6474fb3b2e45e53acbd6fb5ee469
Instruction ID: cf9f35f06fc9a92bcb84c337b4c0ce89fafb3f8a196af5f5bf9d24577840520c
Opcode Fuzzy Hash: cda764e7154acf8a1431490c628da3068c0d6474fb3b2e45e53acbd6fb5ee469
Instruction Fuzzy Hash: 76215E71208315AFD310DF14D884B1BBBE8EB8A764F14891DFA9597390D371D949CBA2

Function 001771B9 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017742A
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00177459

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 74ad5b434fa6132307ab3f3ede2757a5838869847d2e8c04d89defe172d8ebfb
Instruction ID: 0b86f78ecbafcf2c41844d7ed570b6400cd64ee259f998f7588dab47cf42178d
Opcode Fuzzy Hash: 74ad5b434fa6132307ab3f3ede2757a5838869847d2e8c04d89defe172d8ebfb
Instruction Fuzzy Hash: 04210475209B05CFE364CF28D984B12B7E4BB09B18F148A1CE1ABC7AA1D7B4F584CB54

Function 0017E4F2 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017E5BA
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0017E5F5

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 77c61c337dc310f587f2c7a27c5ce45adcba4badb0f4968e9066adebcb4f80ca
Instruction ID: ba50459f43794aea0a86cc58ff460162cb328e36821a719960add9b98aae06bf
Opcode Fuzzy Hash: 77c61c337dc310f587f2c7a27c5ce45adcba4badb0f4968e9066adebcb4f80ca
Instruction Fuzzy Hash: 4B31F575215B548FE764CF28D888BA3B7E5FB09708F14491CD2AB87A90EB70B484CB65

Function 0017418B Relevance: 3.1, APIs: 2, Instructions: 75nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0017438D
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 001743E6

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c2b103c395e8a2a348452c5db179eeb68137b779a19f18771f4c819fa57dcc0a
Instruction ID: a91e0cb15807753fca9b22d56eaeb4546b2883ac7caf440fec93d7778bc7dbef
Opcode Fuzzy Hash: c2b103c395e8a2a348452c5db179eeb68137b779a19f18771f4c819fa57dcc0a
Instruction Fuzzy Hash: BD215A71245B219FD320CF24C885BA7B7F8FB0A324F144A1DE6AA87AD0D770B444CB56

Function 0018FCA0 Relevance: 3.1, APIs: 2, Instructions: 70nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0018FD41
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0018FD71

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: db3cb5b50cab7cc2786a49c5a9193710ac3e59b64fc3feffd05f3aab96cba241
Instruction ID: aa6d4b7652e12f9140809ecd2cc63bfa6a08be2dba414e14d2bddb2c5c995084
Opcode Fuzzy Hash: db3cb5b50cab7cc2786a49c5a9193710ac3e59b64fc3feffd05f3aab96cba241
Instruction Fuzzy Hash: DE218CB0109305AFE310DF09DC44B2BBBE8FB85758F14892CF6948B3A0D7B59949CB92

Function 001790C1 Relevance: 3.1, APIs: 2, Instructions: 69nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00179154
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0017918D

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c507b231f140b78ff950a4eb1f238c10f651099896dcf50b317b2d6a5dc79aa7
Instruction ID: 1d80033e1ae0cb7690af2d5eb0309d0c77d0c4500cb6a27a035f6f540cd08838
Opcode Fuzzy Hash: c507b231f140b78ff950a4eb1f238c10f651099896dcf50b317b2d6a5dc79aa7
Instruction Fuzzy Hash: 012135B01083018FE304CF18C844B6BB7F9FB89718F148A1DF6A5972A0C7B4D988CB96

Function 001763BC Relevance: 3.1, APIs: 2, Instructions: 59nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00176454
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00176485

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: ac347815f42b7a406b971ab397b4f7231306bf6a5d2b4e9b84d63e750f438b5f
Instruction ID: 729469878011fbf4bbed9f06df90ac1123f3e0b9fded110e15b44d773eace161
Opcode Fuzzy Hash: ac347815f42b7a406b971ab397b4f7231306bf6a5d2b4e9b84d63e750f438b5f
Instruction Fuzzy Hash: C72158B01497119FE300CF08D844B1BBBE8FB89718F04890CF59A9B2A1C774A949CB96

Function 00184FDC Relevance: 3.1, APIs: 2, Instructions: 55nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0018503A
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00185072

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 39c68e8239efeb521034b74e39d10e0fe7b644fa8e9b59417115cb25018c1404
Instruction ID: 6720e0dd22c5657fa3a4eb5ab2c8451716546fdf52818be5816be17d8b5008b8
Opcode Fuzzy Hash: 39c68e8239efeb521034b74e39d10e0fe7b644fa8e9b59417115cb25018c1404
Instruction Fuzzy Hash: 85116770144B159FE360CF24C808B52BBE5FB06718F14890CE6A68BAD0D7B0B444CB51

Function 0017E960 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

]\_, xrefs: 0017EC50
Y[, xrefs: 0017EC48

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Y[$]\_
API String ID: 0-3803755346
Opcode ID: 1101922c18d238547f3775dafd49a3070d8ad6f1385fb3411ca4147beec849ba
Instruction ID: 4c3771ec581aa177ff9530103b5c3608d556748d6f291a8fdd61640b9e71df3a
Opcode Fuzzy Hash: 1101922c18d238547f3775dafd49a3070d8ad6f1385fb3411ca4147beec849ba
Instruction Fuzzy Hash: B49156B01083418BD724CF15C8A176BBBF0FF86768F148A5DE4969B291E378D909CB96

Function 00183DC0 Relevance: 1.9, Strings: 1, Instructions: 693COMMON

Download Yara Rule

Strings

khgn, xrefs: 001841D9

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: khgn
API String ID: 0-185697465
Opcode ID: 070c04055399fd65fe73a5f8d537580757c6eacab2ba21f4483027d106aca7d9
Instruction ID: 0abf73f7a603f2b8183588e2ab47ead01511227b2cea9dea83b922a392f81d96
Opcode Fuzzy Hash: 070c04055399fd65fe73a5f8d537580757c6eacab2ba21f4483027d106aca7d9
Instruction Fuzzy Hash: 27326E741046828FE725CF28C4A0B62BBF1FF6A304F28499CD5D68B392D735A945CFA1

Function 00161000 Relevance: 1.8, Strings: 1, Instructions: 583COMMON

Download Yara Rule

Strings

, xrefs: 00161206

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3422140365c33654a7abbb64bb3ac0f341e601701e03fa99aa0b590fc1022ac5
Instruction ID: e105ed9b25e47051092777124473175df0b1a77ac3439dfc2b0bd129e56e2140
Opcode Fuzzy Hash: 3422140365c33654a7abbb64bb3ac0f341e601701e03fa99aa0b590fc1022ac5
Instruction Fuzzy Hash: 70222871A0C791ABD724CE29C8A036BBBE2ABD2310F1CC92DE5D6477D2D3799854C781

Function 0018520B Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

f_, xrefs: 0018571B

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f_
API String ID: 0-2333948650
Opcode ID: 055685a08066145efa5bb3ef02f20bd13ffc20ee17272f891f65ae19ad2f1ff0
Instruction ID: 5cd8dcf1d9823e32a9a3b233e8f52304521a4174619fe2657dc7c525a2ca96be
Opcode Fuzzy Hash: 055685a08066145efa5bb3ef02f20bd13ffc20ee17272f891f65ae19ad2f1ff0
Instruction Fuzzy Hash: 95E15AB0504A428FD729CF29C0A0722FBE2FF5A314F68865DD4D68B792D739A945CF90

Function 001852A9 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

f_, xrefs: 0018571B

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f_
API String ID: 0-2333948650
Opcode ID: e192e9aefc3beea3abc42b6e7ed8018f385ce6ffd5d34dd6629552bed9599454
Instruction ID: d446836dd633bd76198e9350322de110ebf2fb1368f3ef9342ed983772797cb5
Opcode Fuzzy Hash: e192e9aefc3beea3abc42b6e7ed8018f385ce6ffd5d34dd6629552bed9599454
Instruction Fuzzy Hash: 5EE19CB0504A428FD729CF29C0A0722FBE2FF5A314F68869DD4D68B791D739A945CF90

Function 0018466A Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

S@ZQ, xrefs: 00184A38

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: S@ZQ
API String ID: 0-3562939948
Opcode ID: fd95713d3d8f8115184fcb4d24f377f27fe10d44011a6cb26e36676275a0a656
Instruction ID: 30b905d535f40b6ea54a8eb06bc4b57bafbdc662797e81b1356a5e4091afece3
Opcode Fuzzy Hash: fd95713d3d8f8115184fcb4d24f377f27fe10d44011a6cb26e36676275a0a656
Instruction Fuzzy Hash: 11E15D741046828FE729CF29C0A0726FBE2BF66304F28869CC4D24B796D779A945CF94

Function 00184A1C Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

S@ZQ, xrefs: 00184A38

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: S@ZQ
API String ID: 0-3562939948
Opcode ID: 553ca9fdbd14966e18d77308dd94d83bde432b91444110ee1e3acc3633ab8d35
Instruction ID: c332f0fe0a35dd0b660607a4ae5dce758d5fde902d0e0cea62c046b6a6b6ed10
Opcode Fuzzy Hash: 553ca9fdbd14966e18d77308dd94d83bde432b91444110ee1e3acc3633ab8d35
Instruction Fuzzy Hash: F7D17FB01046828FE729CF29C0A0722FBE1BF66304F28869CC4D64F796D779A945CF95

Function 001737F3 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000006,?,00000200,?), ref: 001738C4

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 2b2318bb60057eaacff1a7fa9150eb066aa449d2b26fa7595b08807c7f7a6657
Instruction ID: 94994563f16f3265ead4696847304a8490896a57568e3ce695500f12cef03d61
Opcode Fuzzy Hash: 2b2318bb60057eaacff1a7fa9150eb066aa449d2b26fa7595b08807c7f7a6657
Instruction Fuzzy Hash: 2A319834200B118BD3248F20C891BB3B3F2EF4A315F04980DE5EB8B691EB38B956CB51

Function 00179350 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

1iDk, xrefs: 00179402

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 1iDk
API String ID: 0-1621131942
Opcode ID: 40e3497affd5838ee2a64c9266babcdbb0824583537f37809c85260c3e6c1d03
Instruction ID: dcd41b0cdbf9b6b3ff1a02a61e20215dc375539a047c302b8ac4a9cb01b6083b
Opcode Fuzzy Hash: 40e3497affd5838ee2a64c9266babcdbb0824583537f37809c85260c3e6c1d03
Instruction Fuzzy Hash: 88C122B1100B019BD724CF26D491BA6BBF1FB49314F048E5CD4EA8BA52D738F58ACB94

Function 001667F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 00166943

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6453aa0199f8805114bbc91ebdd927ccc4af3d64524ec0081da15823b0fba469
Instruction ID: 7e20b0e1ea30841e971ce57d455f89d0b73317f58bdfb133742bc79d46f51d14
Opcode Fuzzy Hash: 6453aa0199f8805114bbc91ebdd927ccc4af3d64524ec0081da15823b0fba469
Instruction Fuzzy Hash: 19B12971609381AFD314CF68C88465BFBE0AFA9304F444A5DF59897382D375EA28CB96

Function 00176266 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

mn2, xrefs: 00176379

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: mn2
API String ID: 0-3593888445
Opcode ID: 8d76a9f1172f62f0b3ab500e5e19fbb3be9a573b49360c8ae41a72644a9cbf8f
Instruction ID: 7400d3af5756cc75760a61d079fe0f47c0ae12fd5c6efc82525dade11930c2d6
Opcode Fuzzy Hash: 8d76a9f1172f62f0b3ab500e5e19fbb3be9a573b49360c8ae41a72644a9cbf8f
Instruction Fuzzy Hash: 4B31A0B29546208BCB259F18CC9367773F0FF66364B09912DE88A8B3A2F735AD44C751

Function 0018095B Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

q, xrefs: 00180A53

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-389260800
Opcode ID: b16f98602c51f70dc959e7b4e90d7a15cb2d57cbd94109714b64268cc2bc6412
Instruction ID: 75e7b6b77bc51e64f5d047ab28e8ca1ab141330624d36c152a88f0f5d3b37f3c
Opcode Fuzzy Hash: b16f98602c51f70dc959e7b4e90d7a15cb2d57cbd94109714b64268cc2bc6412
Instruction Fuzzy Hash: C43136B0601B508BDB29CF20C8D5A667BB1FB49300F14859CD9478FB8AC33AE656CB95

Function 00167E10 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83622410ff41487bf125e1c11d66996ff3ae748d359dbd726af2f124ffe188aa
Instruction ID: 4bff65675056225d0f588132b6e7d50b915b64d21ded562e9b56d54013599cd5
Opcode Fuzzy Hash: 83622410ff41487bf125e1c11d66996ff3ae748d359dbd726af2f124ffe188aa
Instruction Fuzzy Hash: BF52F4716083158BC724DF18DC906BAB3E1FFD4318F298A2DD99687391EB34E965CB42

Function 00163390 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403c363b42924fb31a255d714429356bf4f942345a28253b0c4cbe4c92458c15
Instruction ID: e38018a1519a4f908fd5db8c1dec0dc3b2e4f3b287c7f4bbb24e4d424ff22978
Opcode Fuzzy Hash: 403c363b42924fb31a255d714429356bf4f942345a28253b0c4cbe4c92458c15
Instruction Fuzzy Hash: 4A62C4715083518FC715CF18C48066AB7E1FF88318F298AAEE8E95B342D775EE56CB81

Function 00163E20 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5092c30e9630f8cbdcf0f22c62ed59d5f4592ddc69b1f48da862b3d8afa52e91
Instruction ID: 29132872e719434b4a631c8e5ebc07df3eea36c4f27966521ab72f0597d7c83c
Opcode Fuzzy Hash: 5092c30e9630f8cbdcf0f22c62ed59d5f4592ddc69b1f48da862b3d8afa52e91
Instruction Fuzzy Hash: D8425874514B118FC728CF28C99066ABBF1FF95310B618A2DE9A78BB90D735F855CB10

Function 00166200 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd1fb4559eb3b5879a4cf4f469239533c2d0f8da58bdd087bc8caa4b216edbd
Instruction ID: 7fe9fa910de8b35740a6c4ef247835cf5f87e24706b2c60095efac0bbcf68b30
Opcode Fuzzy Hash: 1cd1fb4559eb3b5879a4cf4f469239533c2d0f8da58bdd087bc8caa4b216edbd
Instruction Fuzzy Hash: E302C0326083408FC718CF28C89162ABBE5FF98304F59896DF9999B352E775DC15CB92

Function 00178AF0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbad3e94e5a9f7f5de47208d573d2cdf32fd8807ea27ac502defd54347f0225
Instruction ID: 249022cf1c2f215123009068a482cde52afbbcd349189220e03ee2d1ab792f02
Opcode Fuzzy Hash: 7fbad3e94e5a9f7f5de47208d573d2cdf32fd8807ea27ac502defd54347f0225
Instruction Fuzzy Hash: 55C1BDB05483118BD724CF14C8A17ABB7F1FFA2354F148A1CE8D94B390EB799945CB96

Function 00168B60 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1bc46273109f7458ab74a52e8c281c226c2b023987159e4231bf422b6c0998
Instruction ID: e66b9da487441fa751d55ab33de07592b8fc2c6b99f70a7ee420503a31bc2b3b
Opcode Fuzzy Hash: bb1bc46273109f7458ab74a52e8c281c226c2b023987159e4231bf422b6c0998
Instruction Fuzzy Hash: 21D1E672A086018BC314CE29DCD4356FBE3AFD5320F29CB6DD5955B3E5EB3588528B81

Function 001725E9 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a348d7caa36f8b9df9adf093347602022ad9046ba3eb359f489d323b9c38b47
Instruction ID: a207e9aea72d77ec45a12bf45e007ea95312470f66b4e6d0238c3f9a61829d2b
Opcode Fuzzy Hash: 1a348d7caa36f8b9df9adf093347602022ad9046ba3eb359f489d323b9c38b47
Instruction Fuzzy Hash: 165129756007408FC725DF29C580A63B7F6FB99320B25D92EE89AC7B51EB34F8468B50

Function 001747AF Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2483aa72dea0a8bf4dec8066ac3cd475f8cc2cbd313d55b38d51a6a1ac0029
Instruction ID: e362e4f5e98e7ac630e6f0ba475626029a6db16aad223e2bbb47dca5d2b2f7ef
Opcode Fuzzy Hash: ff2483aa72dea0a8bf4dec8066ac3cd475f8cc2cbd313d55b38d51a6a1ac0029
Instruction Fuzzy Hash: E35166B0600B418FD726DF24C894B67B7F6BF59350F148A2DD4AA87691EBB0F845CB90

Function 0018D9A0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a77e03b9ec93c491432ccf29bf4971831dd60c9a72ab418a1cdfe84afe96e
Instruction ID: c4d67881607d90669c5f790f903933e69ac9ee9afa0fe41c1fea8de2e9ff9b37
Opcode Fuzzy Hash: b14a77e03b9ec93c491432ccf29bf4971831dd60c9a72ab418a1cdfe84afe96e
Instruction Fuzzy Hash: 80518BB19087458FE714EF29D89075BBBE1AB84308F108E2DE4E583391D779DA09CF92

Function 00171CFA Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33559e368cb8b470272afbf03a77edf7581dfbe4ea895df19504798c7351ffdd
Instruction ID: 8d18c1a8a097c17489786418049c19709c87fcd50ce970d71c8b7f10c5b2d446
Opcode Fuzzy Hash: 33559e368cb8b470272afbf03a77edf7581dfbe4ea895df19504798c7351ffdd
Instruction Fuzzy Hash: E85123B0500B41AFD736CF28C494BA3B7F5BB49314F148A2DD4AA87A91E774F849CB91

Function 00171600 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222faf3ab3a5deb160c8957564cfceafb6408fdb242e9b23f9d563189e614bdb
Instruction ID: 55f9d046e08fa0101d69ed6adcdb5d9303c5a58c3c23f392c5abc56c74e6c779
Opcode Fuzzy Hash: 222faf3ab3a5deb160c8957564cfceafb6408fdb242e9b23f9d563189e614bdb
Instruction Fuzzy Hash: 8B411372A182A05BD3488E3D889023ABAE2AFC5314F19CA6EF4E9C73D1D7B4C945D751

Function 00162FB0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bb1705779015f850563d326c8f0116f19f4f6c099297390a64e1c9b417c090
Instruction ID: aab60a83c59f877571d1d0174241d024d739d0cf50c35a09c181b93a5ada2dc4
Opcode Fuzzy Hash: 80bb1705779015f850563d326c8f0116f19f4f6c099297390a64e1c9b417c090
Instruction Fuzzy Hash: DB2127326581700BCB0CCA36DCE05767B93D7C732271E826FEA9247696CB39995DC720

Function 001688C0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7b8f47dfd71d7cccb983fbf7aaa8102b2f4aceb73621c04df20fc30f488878
Instruction ID: 749105c2b01d7c63ec39b3aa0ce53d3a630e88db9026650220c1fd58b95f650a
Opcode Fuzzy Hash: fe7b8f47dfd71d7cccb983fbf7aaa8102b2f4aceb73621c04df20fc30f488878
Instruction Fuzzy Hash: BF21A4268497E145873B853C48A0436FED158E621D35E87EFD8E657343CA168886D3E6

Function 001689A0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27196f8ff10a336b0c0aaca2e1a977e1861f62a8436cdef7aa3826bbf0062200
Instruction ID: ac2382faf077c107ccf5e03250991ec324e055459cff5b76be8f2f21b505676b
Opcode Fuzzy Hash: 27196f8ff10a336b0c0aaca2e1a977e1861f62a8436cdef7aa3826bbf0062200
Instruction Fuzzy Hash: 0511023760A2844E473C991C8C60C76BA4489E230831E82EFDD8997313CE56C81AC2AA

Function 0017504F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99de2ba226e150dc60dbbe5137f00fa7cbc266fe17407ab2316973cdff562094
Instruction ID: 182910dd0941b7cbd8ce4cacdfa6f3ba3d5a23a2aff80e9bec4160e9c175fcee
Opcode Fuzzy Hash: 99de2ba226e150dc60dbbe5137f00fa7cbc266fe17407ab2316973cdff562094
Instruction Fuzzy Hash: DE1190313467814FD3668B24C861BE6BBF1AF07310F48486ED4DBC7642CB286859CB42

Function 00187386 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb7fd6f10145fbc06bd9f5a90c97c5942f1f09beed1cf625d55e630b2e49faa
Instruction ID: da1f532ddb76f3bcbf7e0f5d7c3b67f84e71071ecb2c9229b6a55be500e7750d
Opcode Fuzzy Hash: efb7fd6f10145fbc06bd9f5a90c97c5942f1f09beed1cf625d55e630b2e49faa
Instruction Fuzzy Hash: C0F049721087418FC312CF34C955A87BBF5BF89300F168A6ED49987651D774B549CB82

Function 00177031 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3a9a61f26e2c530a551b9460959f28c5bc3d845e5cb9d04bf090266fc1bb0e
Instruction ID: f80256372103ba328d88f6a62ec426dd4fa28b46b3dff6c4b0b78012ecc908e3
Opcode Fuzzy Hash: 7f3a9a61f26e2c530a551b9460959f28c5bc3d845e5cb9d04bf090266fc1bb0e
Instruction Fuzzy Hash: 57E0E5392469018BCB0CCB28F9A1A367372EB86B09B18901CE416C7E64C734EC819B14

Function 0019276D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e901300dc7153c86a58721b4f4eebe4e843ae8ecbc3b2899529c0f68bb9d410e
Instruction ID: 4a9d3fd2e4eee8e71826dedd4a5f924b1eacc79a0d95a1b9c06bd3a03e67c861
Opcode Fuzzy Hash: e901300dc7153c86a58721b4f4eebe4e843ae8ecbc3b2899529c0f68bb9d410e
Instruction Fuzzy Hash: F5D02E80E180E067CF048B32AC0AE333E2A8FE738BB0C6000F0889330AE124C130D275

Function 00192C90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec30f88e34591d62c1e1ae3ad94436abe8e3e35cfcda56d71f5f707ceeedbc1
Instruction ID: e7874e5028e73e3a8fa44b926366f2cdfa49ec1da01bf65db6f090a6d8e40b1f
Opcode Fuzzy Hash: fec30f88e34591d62c1e1ae3ad94436abe8e3e35cfcda56d71f5f707ceeedbc1
Instruction Fuzzy Hash: 28C08C24958288778A289F1AEE86C73B73CD747248F003019F6A7D3A81C510E8C08AFA

Function 001932E1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3453d6313e4a0b3ea75149329e5fab2d91073ab28596ac77544f4390ace6a25f
Instruction ID: 138d3f83e274e3d68f7eafccfd15d5e5312ab87df02c4c147e64e384d24d2e03
Opcode Fuzzy Hash: 3453d6313e4a0b3ea75149329e5fab2d91073ab28596ac77544f4390ace6a25f
Instruction Fuzzy Hash: 2BC002399091409B8688CF01D890475F377EBDB214F597549DC4223B5AC670E8569A48

Function 0016BEDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1dfdc32660a459d11bbff7160e45f5a1f1759c30bd615c3f7ec0cf9e706351
Instruction ID: a78a68ed3a947080999df9a13e9b3728e8f94164c8415f7221fd2ec0a579fbaf
Opcode Fuzzy Hash: cb1dfdc32660a459d11bbff7160e45f5a1f1759c30bd615c3f7ec0cf9e706351
Instruction Fuzzy Hash: 8CD0A7305401818FC759DF38C2EBF8077E1AB09200F8944ADD88BCFA86CB306240CB00

Function 00193DE9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e72c1302d678e86bd3b4feda6a35873731d899098539fc7bf86d96e5ec73e56
Instruction ID: 17f9e9a101c2a12748cac639d096d070393469d118da9ee1415b9f280048588e
Opcode Fuzzy Hash: 8e72c1302d678e86bd3b4feda6a35873731d899098539fc7bf86d96e5ec73e56
Instruction Fuzzy Hash: 6CB09239E48100C7828ACF18E951432A378930B214B01301AE206E3792C930D484CA18

Function 0017CA30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0017CB64
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0017CB93

Strings

]_, xrefs: 0017CBA1
eI.K, xrefs: 0017CA5F
qs, xrefs: 0017CA6F

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: eI.K$]_$qs
API String ID: 237503144-625656762
Opcode ID: f3e84fff43b9b9e4d050cfa448660ed7c92ef018619393c83da8b0c5a435684d
Instruction ID: 990690ceed092809f55720cb030c14cb8d48304c3d558eece543984dd148ea63
Opcode Fuzzy Hash: f3e84fff43b9b9e4d050cfa448660ed7c92ef018619393c83da8b0c5a435684d
Instruction Fuzzy Hash: 875152B1108342ABD304CF15C895B5BBBF4EF86794F148E2DF8E48B291D378D9458BA6

Function 001764F5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00176728
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00176764

Strings

qrs, xrefs: 00176793

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: qrs
API String ID: 237503144-2859022563
Opcode ID: 2bc8bb731a170a60b313f16c285fb6fa49e5cb65ce925df8a466347fea433501
Instruction ID: 8a8ade7af3970c9aa52ec2615a514dca44072d2207dad7d2ff7cc0a98d22c852
Opcode Fuzzy Hash: 2bc8bb731a170a60b313f16c285fb6fa49e5cb65ce925df8a466347fea433501
Instruction Fuzzy Hash: 40C18CB5900B00AFD760CF29D982763BBF5FF49350F15461DE8AA8B7A0E335A541CB92

Function 00178FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0017900A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00179038

Strings

<u0, xrefs: 00179063

Memory Dump Source

Source File: 00000005.00000002.1606736796.0000000000160000.00000040.00000400.00020000.00000000.sdmp, Offset: 00160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_160000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: <u0
API String ID: 237503144-3891312201
Opcode ID: a610b1f5402105173321a5c5bba8dab6b967dac943ba4a1058a98c2d5284540d
Instruction ID: 50a1d6c18294ad79d37f458d24085ee3bdc55990e8f586b997f81ae46ac0aae6
Opcode Fuzzy Hash: a610b1f5402105173321a5c5bba8dab6b967dac943ba4a1058a98c2d5284540d
Instruction Fuzzy Hash: 2801C4716443047FE624EB689C86FB7727CDB45B64F044208FA65C72C1E770BE0886B1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_214.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

UDP Packets

Windows Analysis Report
LisectAVT_2403002A_214.exe

Function 00193EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
nativememoryCOMMON

Function 00190E9D Relevance: 6.1, APIs: 4, Instructions: 127
nativememoryCOMMON

Function 001917F2 Relevance: 6.1, APIs: 4, Instructions: 121
nativememoryCOMMON

Function 001941A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
nativememoryCOMMON

Function 00176010 Relevance: 3.1, APIs: 2, Instructions: 69
nativememoryCOMMON

Function 0016A7C0 Relevance: 3.0, Strings: 2, Instructions: 534
COMMON

Function 001916EC Relevance: 1.5, APIs: 1, Instructions: 44
nativeCOMMON

Function 00191E75 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 126
COMMON

Function 00191A16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66
libraryCOMMON

Function 00191B55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
libraryCOMMON

Function 001690A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Function 0019152A Relevance: 1.6, APIs: 1, Instructions: 93
libraryCOMMON

Function 001922B5 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 00192A7F Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON